Internal Audit

What is Internal Audit?

hand with pen on financial statement with calculator
••• Don Bayley / Getty Images


Internal audit is the function within an organization that conducts audit projects as if it were an outside auditor yet is still part of the organization. Internal auditors work for organizational leadership but maintain their objectivity when auditing or investigating.

An organization’s chief internal auditor answers to the organization’s governing board or chief executive. This helps mitigate the temptation for an auditor to “take it easy on” any particular part of the organization.

In theory, the auditor only has allegiance to the governing board or chief executive.

The overall goal of an internal audit department is to reduce actual and potential . The biggest benefit internal auditors offer their employers is being a watchdog. Internal auditors do this by undertaking audit projects. Each project evaluates a particular part or function of the organization. The primary tool internal auditors use to determine which projects they will undertake is an annual risk assessment. 

The end product of an audit is a report including findings and recommendations. Audit findings are the important conclusions auditors reach. For instance, an audit finding for a financial audit could be that an accounting department lacks appropriate internal controls to ensure no single person can perform a financial transaction unchecked. Audit recommendations are actions auditors recommend management undertake to address the audit findings.

Continuing with the financial audit example, auditors might recommend each paper check issued by the organization has two signatures on it.

But the audit is not complete at when the report is first issued. Management has an opportunity to respond to each finding and recommendation. These responses often agree with the internal auditors’ findings and communicate management’s planned actions to remedy unfavorable findings and implement recommendations.

But sometimes, management and auditors must agree to disagree. In these cases, management disagrees with a finding or rejects a recommendation. Management explains it’s logic in the management response. Once management responses are added to the report, it is finished. Many times, auditors follow up six months to a year later to see how management has progressed on implementing agreed upon recommendations.


In law enforcement organizations, internal audit is often called internal affairs. Frequently, it encompasses standard internal audit functions as well as investigatory functions specific to law enforcement. For example, internal affairs investigates when an officer is accused of violating policies or procedures such as using excessive force or mishandling evidence.

Organizations that have law enforcement departments but are not solely law enforcement agencies -- like city and county governments -- have separate internal audit and internal affairs departments.