Internal Audit Function

Definition

The internal audit function is an independent, objective assurance and consulting activity that evaluates and improves the effectiveness of an organization's risk management, control, and governance processes. Under the IIA's Three Lines Model (2020), internal audit serves as the third line — providing independent assurance to the governing body. [src1] Risk-based audit planning aligns resources with the organization's highest-priority risks. [src2]

Key Properties

Three Lines Model: First line (management owns risk), Second line (risk/compliance oversees), Third line (internal audit assures) [src1]
Reporting line: Functionally to audit committee, administratively to senior management [src4]
Risk-based planning: Annual plan derived from enterprise risk assessment [src2]
IIA Standards: Global standards govern professional practice, independence, and quality assurance [src1]
Delivery models: In-house, co-sourced, or fully outsourced [src3]

Constraints

Internal audit must be organizationally independent — reporting solely to management violates IIA standards. [src1]
Risk-based planning is only as good as the underlying risk assessment. [src2]
Internal audit provides assurance, not management — auditors should not design controls. [src4]
The Three Lines Model describes roles, not departments — one team may span multiple lines. [src1]
Small organizations may not justify a dedicated function — co-sourcing or outsourcing are alternatives. [src3]

Framework Selection Decision Tree

START — User needs governance/risk assurance guidance
├── What is the primary need?
│   ├── Independent assurance over risk and controls
│   │   └── ✅ Internal Audit (this unit)
│   ├── Build the risk management program
│   │   └── → ERM Framework
│   ├── Financial statement audit (external)
│   │   └── → External audit standards (ISA/PCAOB)
│   └── Board governance structure
│       └── → Board Composition
├── Organization size?
│   ├── >500 employees → In-house function
│   ├── 100-500 → Co-sourced model
│   └── <100 → Outsourced or combined assurance
└── Functioning audit committee?
    ├── YES → Internal audit reports to it
    └── NO → Establish audit committee first

Application Checklist

Step 1: Establish the internal audit charter

Inputs needed: Organizational structure, audit committee charter, regulatory requirements
Output: Board-approved charter defining purpose, authority, and reporting lines
Constraint: Must establish functional reporting to audit committee [src1]

Step 2: Build risk-based audit plan

Inputs needed: Enterprise risk assessment, prior findings, regulatory focus areas
Output: Risk-based annual audit plan with prioritized engagements
Constraint: If no ERM exists, conduct audit-specific risk assessment first [src2]

Step 3: Execute engagements and report

Inputs needed: Audit plan, system access, testing methodology
Output: Audit reports with findings, root causes, and action plans
Constraint: Findings must reach appropriate management and audit committee [src4]

Step 4: Monitor remediation and quality assurance

Inputs needed: Outstanding action plans, prior findings, quality metrics
Output: Follow-up verification, annual quality self-assessment
Constraint: External quality assessment required at least every 5 years per IIA Standards [src1]

Anti-Patterns

Wrong: Internal audit reports only to the CFO

The CAE reports to the CFO with no audit committee reporting line. The CFO can suppress financial reporting findings. [src1]

Correct: Dual reporting with audit committee primacy

CAE reports functionally to the audit committee and administratively to the CEO. [src4]

Wrong: Cyclical audit plan ignoring risk

Every unit audited on a fixed cycle regardless of risk — high-risk areas underaudited. [src2]

Correct: Risk-based audit planning

Derive the plan from risk assessment. High-risk areas audited annually; low-risk every 3-5 years. [src3]

Wrong: Internal audit designing controls

Auditors design controls they later audit, destroying independence. [src4]

Correct: Advise but do not manage

Audit can advise as a consulting engagement but must not own control implementation. [src1]

Common Misconceptions

Misconception: Internal audit is the same as external audit.
Reality: Internal audit provides ongoing assurance to the board on risk and controls. External audit opines on financial statements for shareholders. Different objectives, standards, and reporting lines. [src1]

Misconception: Three Lines of Defense means three departments.
Reality: The IIA's 2020 model explicitly states lines describe roles, not structures. A single person may perform across multiple lines. [src1]

Misconception: Internal audit only finds problems after the fact.
Reality: Modern internal audit includes consulting, continuous auditing, and data analytics for real-time insights. [src3]

Comparison with Similar Concepts

Concept	Key Difference	When to Use
Internal Audit (Third Line)	Independent assurance over risk and controls	Board needs objective risk assurance
ERM (Second Line)	Builds and operates risk management framework	Organization needs to identify and manage risks
External Audit	Opinion on financial statement accuracy	Shareholders need financial statement assurance
Compliance (Second Line)	Monitors regulatory compliance	Organization tracks regulatory obligations

When This Matters

Fetch this when a user asks about establishing an internal audit function, the Three Lines Model, risk-based audit planning, audit reporting lines, or internal vs. external audit differences.