What is the difference between internal audit and external audit?

Internal audit is a function that, although operating independently from other departments and reports directly to the audit committee, resides within an organisation (i.e. they are company employees). It is responsible for performing audits (both financial and non-financial) within a wide range of areas within a business, as directed by the annual audit plan. Internal audit look at key risks facing the business and what is being done to manage those risks effectively, to help the organisation achieve its objectives. For example, they may look at risks to the company’s reputation such as the use of cheap labour in foreign countries, or strategic risks such as producing too many products in comparison to resources available etc.

External audit is an independent body which resides outside of the organisation which it is auditing. They are focused on the financial accounts or risks associated with finance and are appointed by the company shareholders. The main responsibility of external audit is to perform the annual statutory audit of the financial accounts, providing an opinion on whether they are a true and fair reflection of the company’s financial position. As part of this, external auditors often examine and evaluate internal controls put in place to manage the risks which could affect the financial accounts, to determine if they are working as intended.

For the definition of what the role of an internal/external auditor is click here.

What is the difference between the internal and external audit process?


You can find more information about SAP audit related topics in our risk & assurance services section.

Key Insights

Back to Expert Insights

Help us make this site better

favourites contact us forward page


ERP Security: RSM Tenon Partnership

Providing a complete end-to-end IT audit solution

Client Success


24 Oct 2013

SAP: The Increasing Cyber Security Threat

The cyber threat to IT systems in on the increase and this time it is not bored teenagers that we need to worry about. In this blog I ask, is it time to refocus some of our efforts towards the external threats to our SAP systems?

30 Oct 2012

Emergency Access Logs - What is logged? And what isn't?

The SAP GRC Emergency Access Management (EAM) log level has been the subject of a lot of questions and debate. In this post I have summarised the current available logs together with their purpose and a description of what is captured.

View all Key Insights