By: Whitney Perez, Directory of Quality and Compliance and Disha Shah, Associate Consultant for Cyber Risk Advisory
If you’re an organization with any type of business endeavor or objective, you’ve most likely looked into both internal and external auditing. While the term “audit” may spur some anxieties, internal and external auditors are ultimately there to build relationships and help you meet your end goal.
Let’s take a look at the difference between internal and external auditor roles and how partnering with both can increase your perspective on security and compliance.
Internal vs. External Auditors: What’s the Difference?
While both there to examine your organization’s systems and controls, internal and external auditors have different roles.
The most important role of an internal auditor is to help decision makers protect their organization from various threats. The Institute of Internal Auditors (IIA) defines internal auditing as:
“An independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”
In other words, the internal auditor builds relationships with various control owners and helps them create a more secure environment.
Since the internal auditor works within the organization, they likely have a good grasp of the culture and internal issues. By providing an unbiased opinion to stakeholders, internal auditors can act as both auditor and consultant, and their consistency takes the pressure off control owners.
While both internal and external auditors work objectively and independently, as an employee of your organization, the internal auditor has a high probability for success in developing, or even enhancing, an organization’s security posture.
External auditors focus on similar outcomes as an internal auditor, however, they are independent in appearance and fact to the organization. They can be certified accountants or compliance professionals with skills ranging from accounting, finance, tax, compliance, cybersecurity, and IT.
Most organizations need an external auditor for financial or regulatory audits (e.g. Sarbanes-Oxley Act (SOX)) or when they’re seeking certification against frameworks such as SOC or ISO. External auditors can also be utilized in a consultant capacity to help your organization with projects where your organization may lack a dedicated resource or expertise.
While the term “external auditor” invokes a stigma of being there to “get ya,” in reality, they’re a partner who’s there to help you meet your firm’s next milestone. External auditors partner with management and control owners to provide independent feedback that your company can use to improve their compliance posture and improve processes.
External auditors are there to help build a relationship so organizations feel comfortable during the audit process. Within their scope, external auditors:
- Can offer industry best practices to improve processes and functionalities
- Can leverage the work of internal auditors, which saves the organization time and resources
- Can provide perspective by offering trainings and educating organizations about new cybersecurity best practices
- Cannot implement controls
- Cannot consult for the development of management systems, services to design, implement or maintain management systems, or anything that would compromise independence
Who Benefits from Internal and External Auditors?
While an internal auditor serves as a liaison within an organization, at some point you’re most likely going to need an external auditor to sign on various compliance reports. It’s important to think about your current resources and unique needs when choosing who to work with.
Does your organization need to improve or define your governance, risk management, or compliance? Or, are you in need of a SOC examination to ensure customer trust? Questions like these will help you decide which path to take.
If your organization is at the small business stage, it might not make financial sense to have a full-fledged internal auditor on board. In this case, you can hire an external consultant to guide you through your control environment, risk management, and implementation of various controls.
Partnering with a vCISO to look at various processes and assess your compliance is also a great option. However, a full internal audit is beyond the scope of a vCISO, and as these audits become an increasingly important function, you’ll want to look at an entity who can dedicate their time to fully assess your existing and needed controls.
Midsize to Enterprise
Once your organization is at a larger stage of growth, hiring a full-time internal auditor can provide a better understanding of your control environment and unique risks. This will allow you to develop your own security program, partnering with external auditors when needed for reports and certifications.
It’s All About Perspective
Ultimately, your organization’s maturity will be the defining factor as to whether you choose to work with an internal or external auditor. However, maintaining a continuation of both can serve your organization in the long-term, deepening your perspective of security and compliance.
For example, if an external auditor feels that your organization has a strong control environment, they can leverage the work of your internal auditor during their engagement. A value fit such as this can lead to a collaborative and trusting relationship.
Whether hiring internally or externally, choosing an auditor is an important feat. It can be helpful to keep in mind the following:
- Partner with people and firms that fit your values
- Identify your specific needs and how these auditors can help you meet your goals
- Be honest with your auditors about your challenges
- Remove the stigma around failure. Auditing is about building relationships and processing improvements
- Think of hiring auditors as if you are hiring an employee who is going to be integral to your growth
At BARR, we aim to grow along with our clients. While continuously maintaining objectivity and independence, we work with you and your internal auditors to offer recommendations on how you can improve overall security posture.
Is your organization looking to partner with an external auditor or vCISO? Contact us today.
About the Authors:
Whitney Perez, Directory of Quality and Compliance
As Director of Quality and Compliance, Whitney Perez brings a wealth of experience in internal audits, SOX, SOC, ISO, information security, and internal control development.
Prior to joining BARR, Whitney held IT auditor and advisory positions at KCP&L in Kansas City, Missouri and Grant Thornton in Dallas, Texas. Whitney has a Bachelor of Science in Accounting from the University of Kansas and is a Certified Information Systems Auditor (CISA).
Disha Shah, Associate Consultant, Cyber Risk Advisory
As an Associate Consultant, Disha Shah supports the planning and execution of cyber risk engagements, including information technology audits and risk assessments for clients in various highly regulated industries.
Prior to joining BARR, Disha served as an associate in KPMG’s risk advisory practice. She holds a bachelor’s degree in accounting and management information systems from Northern Illinois University. Disha is quadrilingual, and can communicate in English, Hindi, Gujarati, and Sanskrit.