Internal audit and external audit serve different purposes, report to different people, and operate under different rules. But they’re often confused – especially by business owners who aren’t sure which one they actually need. This guide explains the key differences between internal and external audit, when each applies, and how they work together in practice.
What is the difference between internal and external audit?
An internal audit is carried out by people within the organisation (or outsourced to a firm acting on the company’s behalf). Internal auditors focus on evaluating internal controls, risk management processes, and operational efficiency. They report to the board or audit committee, not to shareholders.
An external audit is conducted by an independent auditor – someone with no financial or personal connection to the company. External auditors focus on whether the financial statements give a “true and fair view” under the applicable accounting framework (FRS 102 or IFRS in the UK). They report to the shareholders – and every other stakeholder who relies on the accounts – and provide assurance that the numbers can be trusted.
The distinction matters because internal audit is voluntary for most UK companies, while external audit is a legal requirement for any company that exceeds the statutory thresholds. Under the Companies Act 2006, a company needs a statutory external audit if it meets two of these three conditions: turnover above 15m, balance sheet total above 7.5m, or more than 50 employees.
Key differences at a glance
| Internal audit | External audit | |
|---|---|---|
| Purpose | Evaluate internal controls, risk management, and compliance | Provide assurance on financial statements |
| Who does it | Internal auditor (employee or outsourced) | Independent external auditor (registered auditor) |
| Reports to | Board, audit committee, or management | Shareholders and Companies House |
| Independence | Operationally independent of the areas being reviewed | Fully independent under FRC Revised Ethical Standard |
| Standards | IIA Standards (Institute of Internal Auditors) | ISA (UK) – International Standards on Auditing |
| Frequency | Ongoing throughout the year | Annually (with interim work possible) |
| Legal requirement | Required for premium-listed companies under the UK Corporate Governance Code | Required by Companies Act 2006 above threshold |
| Scope | Any area of the business – operations, IT, compliance, HR | Financial statements and related disclosures |
What does an internal auditor do?
The role is to help the organisation improve. Internal audits focus on testing whether internal controls actually work, identifying risks before they become problems, and checking that policies are being followed in practice – not just on paper.
Typical internal audit work includes:
- Reviewing purchase approval processes and checking for compliance with spending limits
- Testing IT access controls and data security procedures
- Evaluating the effectiveness of internal controls over financial reporting
- Investigating fraud risks and recommending preventive measures
- Assessing compliance with regulatory requirements specific to the industry
- Reviewing project governance and risk management on major initiatives
Internal audit reports go to the audit committee (in larger companies) or directly to the board. The lead practitioner makes recommendations, and management decides whether to implement them. Good teams focus on practical, actionable findings rather than theoretical risk registers that no one reads.
The Institute of Internal Auditors (IIA) sets the professional standards for internal audit globally. In the UK, the Chartered Institute of Internal Auditors provides guidance specific to UK governance requirements.
What does an external auditor do?
An external auditor examines the company’s financial statements and issues an audit report stating whether the accounts are free from material misstatement. External audits provide assurance to shareholders, lenders, and regulators that the financial information can be relied upon for decision-making.
External audits focus on the financial statements, and the engagement typically involves:
- Planning the audit, setting materiality, and identifying areas of significant risk
- Testing the accuracy of revenue, costs, assets, and liabilities
- Confirming balances with banks, debtors, and other third parties
- Reviewing the financial statements for compliance with accounting standards (FRS 102 or IFRS)
- Evaluating going concern – whether the company can continue operating for at least 12 months
- Issuing the audit report, which is filed at Companies House alongside the accounts
External auditors must be registered with a Recognised Supervisory Body (RSB) – in practice, that means being regulated by the ICAEW, ICAS, or ACCA. The FRC Revised Ethical Standard sets strict rules on auditor independence, including restrictions on providing non-audit services to audit clients.
Can internal and external auditors work together?
Yes, and under ISA (UK) 610, external auditors can use the work of internal auditors to reduce their own testing – but only if certain conditions are met. The statutory team must assess the internal audit function’s objectivity, competence, and the quality of their work before relying on it.
In practice, this means the engagement team might review internal audit reports on controls testing and, if satisfied with the methodology, reduce their own controls testing in those areas. This can save time and reduce the overall audit cost for the company.
But there are limits. The engagement partner can never delegate their responsibility for the audit opinion. And for areas involving significant judgement – like going concern assessments or fair value measurements – they must always do their own work regardless of what the internal audit team has done.
Companies with both functions get the most value when the internal and external audit teams coordinate their plans at the start of the year. That committee typically oversees this coordination, making sure there’s no duplication of effort and that both teams are covering the right risks.
What are the 4 types of audit?
People searching for this term usually mean these four:
- External (statutory) audit. The legally required annual audit of financial statements. This is what most people think of when they hear “audit.” External audits provide assurance to shareholders that the accounts show a true and fair view.
- Internal audit. A voluntary (for most companies) review of internal controls, risk management, and operational processes. Internal audits focus on improvement rather than compliance.
- Forensic audit. An investigation into suspected fraud, financial irregularities, or disputes. Forensic auditors follow audit evidence trails and may provide expert witness testimony.
- Compliance audit. A review of whether the organisation meets specific regulatory requirements – for example, FCA rules for financial services firms, or Charity Commission requirements for charities. Compliance audits can be internal or external.
There are also sector-specific types of audit: grant audits (for Innovate UK or lottery funding), pension scheme audits, academy trust audits, and solicitors’ accounts rules audits (SRA audits). Each follows its own reporting framework alongside the core ISA (UK) standards.
Do you need both internal and external audit?
It depends on your size, sector, and governance requirements.
Premium-listed companies on the London Stock Exchange must have an internal audit function under the UK Corporate Governance Code (Provision 25). If they don’t have one, they need to explain why in their annual report. Large private companies aren’t legally required to have internal audit, but many choose to because it strengthens risk management and gives the board better oversight.
For SMEs and owner-managed businesses, a formal internal audit function is usually unnecessary. The finance director or a trusted external adviser can perform periodic control reviews without the cost of a dedicated internal audit team. But you’ll still need an external audit if you exceed the statutory thresholds.
Some organisations outsource their internal audit to an accounting firm. This can work well for mid-sized companies that want the benefits of internal audit without employing a full-time team. However, the same firm cannot provide both internal and external audit services to the same client – that would compromise the external auditor’s independence under the FRC Revised Ethical Standard.
How Audit Group can help
We’re a specialist external audit firm, part of Jack Ross Chartered Accountants (established 1948) and regulated by the ICAEW. We provide assurance and statutory audit services to companies across the UK, from owner-managed businesses to subsidiaries of overseas groups.
If you need an external audit – or advice on whether your company qualifies for audit exemption – we can help. We also work alongside internal audit teams, coordinating our external audit work to reduce duplication and keep costs down.
Call us on 0161 832 4451 or visit our contact page to arrange an initial discussion.
Related reading: statutory audit services, the audit process explained, why audit planning matters, and auditor independence.
