Skip to main content

What is internal audit? No, really, what is it?

Posted by: , Posted on: - Categories: Internal Audit, People, Quality

When I was asked to write this blog, I recalled a chat with a colleague about our attempts to explain our work to family and friends (yes, auditors do have friends). Our efforts largely resulted in blank expressions and swift changes of subject. Asking other colleagues revealed we were not alone in the challenge.


The definition on our profession’s websites doesn’t shed much light either:

The role of internal audit is to provide independent assurance that an organisation's risk management, governance and internal control processes are operating effectively.

So, what is it all about then … and why does it even matter?

Why does internal audit matter?

Internal audit matters because we deal with issues that matter to the organisations we serve. Through our work, we help the people who run organisations to do so effectively on behalf of their stakeholders. For government organisations, those stakeholders include the public; that’s you and me.

What do internal auditors actually do?

We help organisations succeed. That’s a big statement, which needs explaining.

To succeed, organisations need to have objectives and they need to manage risks that might have an effect on them meeting those objectives. All organisations, like all individuals, constantly face risks. A risk is simply an event which, should it occur, will have an effect on meeting an objective.

We provide assurance, which means that we look at the systems and processes designed to help organisations manage risks and therefore meet their objectives. We then tell the people who run the organisations how well those systems and processes are working to manage those risks and how they can improve them.

We provide consultancy, which means we help organisations make improvements to their systems and processes. We might do that by providing advice, facilitation and training, but not by actually doing the work. We don’t do the work because if we were later asked to assure it, our independence would be in doubt.

What’s the big deal about independence?

Independence matters because to do our work properly we must be objective and free from undue influence. Being independent of the organisations we work with means we can take a balanced view that is not unduly influenced by our own or others’ interests in the organisation.

What does it take to be an auditor?

Apart from a cape, and snazzy tights, (to be clear – I am joking about that), auditors need curiosity. As the popular wartime entertainer George Formby put it, ‘for a nosey parker, it’s an interesting job’. We need curiosity because we need to find out what is really happening before we can reach an opinion on it.

We need terrier-like digging skills to gather the evidence to give us a sound basis for our opinion. We need to look, listen and question. Then we need analysis skills to make sense of the evidence we gather; looking at patterns and trends, testing different sources of information against each other to see how it all stacks up. Conclusions rarely fall into our lap fully formed because if things were that simple, our customers wouldn’t need our help.

Then we need to be resilient, because we must be willing to back our own judgement and stand up for what’s right. We need to see the big picture too, and understand what really matters. From early in our careers, we talk to people right at the top of organisations about their biggest issues. Those people haven’t got time for trivia, which makes nerves of steel handy too.

Whilst we are known for being fond of them in our work, there really is no template for being an auditor. We need a mix of skills and knowledge and come from all sorts of backgrounds; diversity really is our strength.

Sharing and comments

Share this page


  1. Comment by Ady Dike posted on

    Hi Julie, this is a fabulous - an accessible description of IA. Well done!

  2. Comment by yogesh posted on

    your content was very usefull.

  3. Comment by Scott posted on

    Coming from a financial services background I recognise this definition of IA as the 3rd Line of Defence - a vital part of the overall framework of effective risk management. I wonder if anyone has a view on where the 2nd Line sits?


Leave a comment

We only ask for your email address so we know you're a real person

By submitting a comment you understand it may be published on this public website. Please read our privacy notice to see how the GOV.UK blogging platform handles your information.