Difference between Internal Audit and Internal Control?

I am frequently asked the question; What is the difference between Internal Audit and
Internal Control? This is where I attempt to answer this question. Ill talk in brief about
Internal Audit first.

Internal Audit is the frequent or ongoing audit conducted by an organisations own personnel.
Internal Audit primarily monitor operating results, verify financial records, evaluate internal
controls, and assist with enhancing the efficiency and effectiveness of operations. Not least
their role includes detecting fraud.

Internal Auditors work on the basis of objectivity i.e. they strive as far as possible or
practicable to reduce or eliminate bias, prejudice, or subjective evaluation by relying on
verifiable data. In terms of Internal Control their role is to examine the adequacy and
effectiveness of internal controls and make recommendations where improvements are
needed.

Since Internal Audit should remain independent and objective, Internal Audit does not have
responsibility for developing or maintaining internal controls. It is the role of management to
implement the policies adopted by the Board or the Chief Executive and to identify, evaluate,
avoid or mitigate and control the risks the organisation could face in achieving its objectives.
However, the effectiveness of Internal Control is enhanced through the review process
performed by Internal Audit and the recommendations made for improvement.

Internal Control on the other hand is recognised as one of the core business processes. It is an
integral part of an organisations financial and business policies that control the strategic,
financial and operational procedures of an organisation. The process is based upon a system
of management information, financial regulations, administrative procedures and a system of
accountability.

There are a number of definitions of internal control on the internet. At the AICP we define
internal controls as comprising the plans, methods, techniques and procedures used to meet
an organisations mission, goals, and objectives, and to ensure the security of an
organisations operations.

This definition is short, I know, but within the definition all the elements of corporate
strategy are considered. In effect Internal Control is an integral part of managing an
organisation, and it provides the framework for identifying and addressing major performance
challenges.

It is accepted by some people that an organisation could live without internal audit but could
not survive long without effective internal controls. Personally I believe this to be close to
the truth. Having said that, it is difficult to see how the board of directors of an organisation
could gather sufficient objective information to carry out its stewardship or report effectively
on internal control without the active involvement of Internal Audit.

There can be no doubt that both Internal Audit and Internal Control add value and improve an
organisations operations, albeit in different ways.