What is the difference between Internal Audit Function and Internal Control System?

Let’s refresh some important areas before we get to the answer to this question so that no room is left for confusions. I will be having a quick go through each topic that is relevant.

Users require financial statements to fulfill their information needs and in order to reach good decisions they must have accurate information in their hands. Information can be inaccurate to extent that it is useless if it has material misstatements and it is the responsibility of the management to provide accurate financial statements. Material misstatements might creep into financial statements because of inherent risks.

To mitigate such inherent risks management implements internal control system. Through this internal control system it is ensured that organization is meeting its objectives of providing reliable financial statements. Though this is not the only objective of having an internal control system. Internal control system also helps management in following:

  • implementation and enforcement of policies designed by management
  • safeguarding of assets and resources of the business
  • supporting management in efficient and effective operations of the business

Many students confuse internal control system with accounting system but this is not correct. Accounting system is mostly a part of information system which in itself is a part of internal control system.

But for auditing purposes, external auditor is not interested in each and every aspect of the internal control system. Therefore, we will be restricting our discussion only to the aspect that internal control system’s major job is to provide timely, relevant and reliable set of financial statements.

Internal audit is a function (an activity – if “function” is too formal to understand) through which adequacy of internal control system is judged. This function or activity is performed by internal auditors who work FOR organization as an employee.

So, putting it together, organization uses internal control system to reduce risks of material misstatements in financial statements and to keep the internal control system at its best, it is monitored through internal audit function by internal auditors.

In all this external auditor has nothing to do with any of these and he DOES NOT work for organization rather he is there just to express an opinion whether financial statements are true and fair or else. However, to reach his opinion he assess the existence of risks by checking internal control system in order to determine whether audit risk is high or not. Because if internal control system in the opinion of auditor is not as good as it should have been under the given situation than his perception will be that there will be material misstatements in the financial statements and thus increased audit risk.

So, again putting it together to make a complete sense of all these three separate factors i.e. internal control system, internal audit and external auditor; we understood that management uses internal control system to reduce risks of material misstatements. And as management is depending on internal control system to catch misstatements internal control system should be working at its best and to ensure the same they have internal audit function which is performed by internal auditor who monitors internal control system’s workings. External auditor checks the internal control system only to make up his mind regarding audit risk and nothing else.


  1. Example of inherent risk, detection and control risk plz…

    • @Aris,

      Suppose accounting standards have changed. A treatment of certain type of transaction is now modified.
      Inherent risk – Employees may still treat the transaction old way because they are unaware. To control this we have to train them.

      Control risk – Even after training as it is new, employees may make mistakes applying the rules. To control this management will have to review the treatment of such transactions on regular basis.

      Detection risk – Auditor is aware of modification of treatment and treats it as high risk area and will design procedures to detect misstatements related to such transactions. But procedures failed to detect material misstatement that was there and was undetected.

      Hope this helps.

  2. hi I wanted to know the difference between internal control and internal audit from the details above I haven’t got the difference s clearly.
    Thank you

  3. Abreham nigussie

    Thank u,
    I need more about internal auditors tasks and responsibilities regarding to the standard.

  4. Bring out the differences between Internal control and Internal Audit and which one do you think is essential.

  5. Hi
    How would we differentiate among (i) Operational Risk & Internal Control System and (ii) Internal Audit & Compliance Monitoring?

  6. Thank you alot its clarify the area of confusion to me. am really happy with this answer.


Please enter your comment!
Please enter your name here