Internal Audit Function
How do I structure an internal audit function — three lines of defense and risk-based planning?
Definition
The internal audit function is an independent, objective assurance and consulting activity that evaluates and improves the effectiveness of an organization's risk management, control, and governance processes. Under the IIA's Three Lines Model (2020), internal audit serves as the third line — providing independent assurance to the governing body. [src1] Risk-based audit planning aligns resources with the organization's highest-priority risks. [src2]
Key Properties
- Three Lines Model: First line (management owns risk), Second line (risk/compliance oversees), Third line (internal audit assures) [src1]
- Reporting line: Functionally to audit committee, administratively to senior management [src4]
- Risk-based planning: Annual plan derived from enterprise risk assessment [src2]
- IIA Standards: Global standards govern professional practice, independence, and quality assurance [src1]
- Delivery models: In-house, co-sourced, or fully outsourced [src3]
Constraints
- Internal audit must be organizationally independent — reporting solely to management violates IIA standards. [src1]
- Risk-based planning is only as good as the underlying risk assessment. [src2]
- Internal audit provides assurance, not management — auditors should not design controls. [src4]
- The Three Lines Model describes roles, not departments — one team may span multiple lines. [src1]
- Small organizations may not justify a dedicated function — co-sourcing or outsourcing are alternatives. [src3]
Framework Selection Decision Tree
START — User needs governance/risk assurance guidance
├── What is the primary need?
│ ├── Independent assurance over risk and controls
│ │ └── ✅ Internal Audit (this unit)
│ ├── Build the risk management program
│ │ └── → ERM Framework
│ ├── Financial statement audit (external)
│ │ └── → External audit standards (ISA/PCAOB)
│ └── Board governance structure
│ └── → Board Composition
├── Organization size?
│ ├── >500 employees → In-house function
│ ├── 100-500 → Co-sourced model
│ └── <100 → Outsourced or combined assurance
└── Functioning audit committee?
├── YES → Internal audit reports to it
└── NO → Establish audit committee first
Application Checklist
Step 1: Establish the internal audit charter
- Inputs needed: Organizational structure, audit committee charter, regulatory requirements
- Output: Board-approved charter defining purpose, authority, and reporting lines
- Constraint: Must establish functional reporting to audit committee [src1]
Step 2: Build risk-based audit plan
- Inputs needed: Enterprise risk assessment, prior findings, regulatory focus areas
- Output: Risk-based annual audit plan with prioritized engagements
- Constraint: If no ERM exists, conduct audit-specific risk assessment first [src2]
Step 3: Execute engagements and report
- Inputs needed: Audit plan, system access, testing methodology
- Output: Audit reports with findings, root causes, and action plans
- Constraint: Findings must reach appropriate management and audit committee [src4]
Step 4: Monitor remediation and quality assurance
- Inputs needed: Outstanding action plans, prior findings, quality metrics
- Output: Follow-up verification, annual quality self-assessment
- Constraint: External quality assessment required at least every 5 years per IIA Standards [src1]
Anti-Patterns
Wrong: Internal audit reports only to the CFO
The CAE reports to the CFO with no audit committee reporting line. The CFO can suppress financial reporting findings. [src1]
Correct: Dual reporting with audit committee primacy
CAE reports functionally to the audit committee and administratively to the CEO. [src4]
Wrong: Cyclical audit plan ignoring risk
Every unit audited on a fixed cycle regardless of risk — high-risk areas underaudited. [src2]
Correct: Risk-based audit planning
Derive the plan from risk assessment. High-risk areas audited annually; low-risk every 3-5 years. [src3]
Wrong: Internal audit designing controls
Auditors design controls they later audit, destroying independence. [src4]
Correct: Advise but do not manage
Audit can advise as a consulting engagement but must not own control implementation. [src1]
Common Misconceptions
Misconception: Internal audit is the same as external audit.
Reality: Internal audit provides ongoing assurance to the board on risk and controls. External audit opines on financial statements for shareholders. Different objectives, standards, and reporting lines. [src1]
Misconception: Three Lines of Defense means three departments.
Reality: The IIA's 2020 model explicitly states lines describe roles, not structures. A single person may perform across multiple lines. [src1]
Misconception: Internal audit only finds problems after the fact.
Reality: Modern internal audit includes consulting, continuous auditing, and data analytics for real-time insights. [src3]
Comparison with Similar Concepts
| Concept | Key Difference | When to Use |
|---|---|---|
| Internal Audit (Third Line) | Independent assurance over risk and controls | Board needs objective risk assurance |
| ERM (Second Line) | Builds and operates risk management framework | Organization needs to identify and manage risks |
| External Audit | Opinion on financial statement accuracy | Shareholders need financial statement assurance |
| Compliance (Second Line) | Monitors regulatory compliance | Organization tracks regulatory obligations |
When This Matters
Fetch this when a user asks about establishing an internal audit function, the Three Lines Model, risk-based audit planning, audit reporting lines, or internal vs. external audit differences.