What is the difference between internal and external audit and what do they have in common?

1. Home
2. Blog
3. Vocational trainings
4. What is the difference between internal and external audit and what do they have in common?

The rules for performing internal and external audits are defined by the international standard EN ISO 19011:2018:

• provides guidance on auditing management systems, including audit principles, audit program management, and performing management system audits
• provides guidance on assessing the competence of individuals involved in the audit process, including the person managing the audit program, auditors and audit teams
• is applicable in all organizations that need to perform internal or external audits of management systems or manage the audit program
• can also be used for several types of audits

International Standard EN ISO/IEC 17021-1 provides guidance on conformity assessment and requirements for bodies performing audit and certification of management systems in Part 1: Requirements.
 

ISO 19011:2018 defines an audit as a systematic, independent, and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which audit criteria are met.

Internal audits are performed by a team of competent internal auditors, and the process of managing internal audits in most organizations falls under the quality management manager. The performance of internal audits is also necessary in terms of effective preparation of the organization for certification or supervisory audit, which is performed by a third-party, i.e. an independent certification organization or for external customer audits.

External audits are performed by a team of competent external auditors, while the process of managing external audits in most certification companies falls under the Head of the Certification Body, which also sets the audit program and audit objectives, the audit team.

During external audits, the audit team also accompanies, if necessary, the so-called technical expert = a person who provides the team of external auditors with specific knowledge or expertise (for example, in the case of a hospital audit, it is a doctor, e.g. in the case of a food organization, it is an expert with 20 years of experience in food production, etc.).

In managerial practice, we distinguish 3 types of audits (internal, customer, certification).

Audits may be performed:

• 1st party - internal audits, performed by the organization's own trained staff - internal auditors in the organization. It focuses on assessing its strengths and weaknesses and verifying compliance with its own procedures/guidelines/methods as well as external standards adopted voluntarily (ISO 9001, etc.) or mandatory (specific customer requirements) - system, process or product audit
• 2nd party - an external audit performed by the customer or the contracting organization on behalf of the customer. A contract is concluded and the goods or services are or will be delivered. The other party's audits are subject to contract law rules as they provide contractual guidance from the customer to the supplier. Second-party audits tend to be more formal than first-party audits because the results of the audit could affect the customer's purchasing decisions. Organizations by the customer or potential business partners, are used to verify the level of quality management system at suppliers (so-called customer/supplier audit
• 3rd party - external audit, which is performed by a certification audit organization, independent, i.e. without a relationship between the customer and the supplier, without a conflict of interest, on the basis of an order or contract. The independence of the audit organization is a key element of a third-party audit. Certification audits include initial certification, surveillance, recertification (audit renewal) audits and may also include special audits. Integrated audit means that the client has included the application of the requirements of two or more management system standards in one management system and its auditing is performed according to more than one standard. The result of 3rd party audits may be the certification of the quality management system or another management system, registration, recognition, evaluation, approval of the license, a fine imposed by a third-party organization or an interested party.

For both types of audits (internal and external), the audits are performed by a team of competent auditors meeting the requirements of Chapter 7. Competence of auditors - ISO 19011 standards consisting of the Chief Auditor and the Auditors. In addition, external auditors must meet the requirements set out in the "Auditor's Knowledge and Skills Table" in accordance with ISO/IEC 17021-1.
 

According to the object, orientation and focus, audits are divided into:

• audit of quality management system, EMS, health and safety (structure and functionality of management system)
• process audit (suitability and reliability of processes, especially core business processes)
• product audit (verification of elements, parts, characteristics, components and final product in accordance with specifications)

 The relationship between internal and external auditors is good if the top management of the organization provides adequate resources and support needed to streamline the quality management system. The more precise and frequent the internal audits performed in the organization (while corrective measures for detected nonconformities are also effectively implemented), the easier the organization can handle external audits performed by either a third-party (certification body) or the other party (customers).

In accordance with EN ISO 19011:2018, it is possible to identify the main differences between external and internal audits in the subject and scope of the audit, in the knowledge of environmental conditions and risks of the audited entity and the degree of auditor independence.

According to the IIA (2009) survey, senior management and internal auditors consider the most important benefit of internal audit to be providing objective assurance that key business risks are being adequately managed and that the risk management and internal control framework are working effectively. They believe that internal audit is more likely to bring value by focusing on its assurance role, i.e. confirming that the management system in place meets the requirements of the relevant ISO international standard as well as in-house specific rules/directives and customer specific requirements.

External audits performed by customers give the organization a chance to gain a new business opportunity (due diligence audits in business tenders), while external certification audits performed by certification bodies provide the organization's management with assurance that the established management system meets the requirements of the relevant ISO standard. credit in the eyes of customers.