2.4 Authority, Conformance, and the External Audit Distinction
Key Takeaways
- The function's authority comes from the board-granted mandate and includes unrestricted access to records, personnel, and property relevant to engagements.
- Conformance with the Standards is demonstrated through the Quality Assurance and Improvement Program; an external assessment is required at least once every five years.
- Internal audit serves the organization and reports functionally to the board; external audit serves outside stakeholders and opines on the financial statements.
- Scope limitations imposed on the function must be communicated by the CAE to the board, because a restricted mandate can prevent the function from fulfilling its responsibilities.
Authority, Role, and Responsibility
Internal audit has no inherent power — its authority is granted by the board through the mandate (Standard 6.1) and recorded in the charter. That authority includes the right of unrestricted access to the records, personnel, and physical property relevant to any engagement. Any condition that limits this access is a scope limitation.
- Role: to provide independent, risk-based, objective assurance, advice, insight, and foresight on governance, risk management, and control.
- Responsibility: to perform engagements with proficiency and due professional care, in conformance with the Standards, and to communicate results to the appropriate parties.
Scope limitations
When management restricts access, limits the budget, or narrows the plan in a way that prevents the function from meeting its responsibilities, the CAE must communicate the potential impact to the board. The CAE does not simply accept the restriction, nor resign, nor quietly expand elsewhere to compensate — the board owns the mandate, so the board must decide what to do about a limitation on it. This escalation duty is one of the most heavily tested judgment points in Section A.
Proficiency and due professional care
Two responsibility concepts ride alongside authority. Proficiency (a Principle within the Standards framework's Ethics and Professionalism domain, and tested under exam Section B) means the function collectively possesses, or obtains, the knowledge, skills, and competencies needed to perform its responsibilities — no single auditor must be an expert in everything, but the function must have access to the competence each engagement demands.
Due professional care means applying the care and skill of a reasonably prudent and competent internal auditor: considering the extent of work needed, relative complexity, materiality, adequacy of governance and controls, and the cost of assurance against potential benefits. Care does not require infallibility or examining every transaction — it requires reasonable, risk-proportionate diligence.
Conformance and the QAIP
The function can claim conformance with the Standards only when supported by a Quality Assurance and Improvement Program (QAIP), which the CAE develops and maintains. The QAIP provides reasonable assurance that the function conforms with the Standards, achieves its performance objectives, and pursues continuous improvement. It has two components:
| QAIP component | What it is | Frequency |
|---|---|---|
| Internal assessments | Ongoing monitoring plus periodic self-assessments | Continuous / periodic |
| External assessments | Independent review by a qualified external assessor or team | At least once every five years |
The external assessment must be performed by a qualified, independent assessor or assessment team from outside the organization; at least one team member must hold an active Certified Internal Auditor (CIA) designation. The requirement can be met as a full external assessment or as a self-assessment with independent validation (SAIV).
Disclosing nonconformance
If the results of the QAIP indicate the function does not conform with the Standards in a way that affects the overall scope or operation of the function, the CAE must disclose the nonconformance and its impact to the board and senior management. A clean external assessment is what lets the function state it 'conforms with the Global Internal Audit Standards.'
Note the strict phrasing rule: a function may publicly state it "conforms with the Global Internal Audit Standards" only when the results of internal and external assessments support that statement. Absent supporting assessments, that claim cannot be made. This is a small but exam-favored detail — the right to assert conformance is earned through the QAIP, not assumed.
Internal Audit vs. External Audit
The exam reliably tests the contrast between internal and external audit. They are not competitors and they are not the same job:
| Dimension | Internal audit | External audit |
|---|---|---|
| Primary purpose | Improve governance, risk, and control across the organization | Express an opinion on the financial statements |
| Primary client | The board and management of the organization | Outside stakeholders (investors, lenders, regulators) |
| Reports to | Functionally to the board | The shareholders / those charged with governance |
| Scope | Broad — operations, compliance, IT, strategy, financial | Focused on financial reporting and related controls |
| Standards | Global Internal Audit Standards | External auditing standards (e.g., GAAS / ISA) |
| Status | Usually employees of the organization | Independent outside firm |
The two functions coordinate to avoid duplicated effort and provide efficient coverage, and the external auditor may rely on internal audit's work, but internal audit's mission is far broader than the external auditor's narrow financial-statement opinion.
Common traps in this area
- Saying internal audit's purpose is to opine on financial statements — that is external audit.
- Forgetting the external assessment cadence: at least every five years, not annually.
- Having the CAE accept a scope limitation instead of escalating it to the board.
Quick reference
- Authority = board-granted mandate + unrestricted access.
- Conformance evidence = QAIP (internal + external).
- External assessment = ≥ once every 5 years, qualified independent assessor.
- Internal audit improves the organization; external audit opines on financial statements.
Coordination, not subordination
The Standards expect the CAE to coordinate with external auditors and other internal and external assurance providers to maximize coverage and minimize duplication — sometimes called building an assurance map. Coordination is a peer relationship: internal audit does not work for the external auditor, and the external auditor's reliance on internal audit work does not transfer internal audit's responsibilities. The two simply share information so the organization gets efficient, comprehensive assurance. A stem suggesting internal audit must take direction from the external auditor is describing the wrong relationship.
According to the Standards, how frequently must an external assessment of the internal audit function's quality be performed?
Management imposes a scope limitation that prevents the internal audit function from accessing key records. What is the chief audit executive's responsibility?
Which statement correctly distinguishes internal audit from external audit?