Primary navigation:

QFINANCE Quick Links
QFINANCE Reference

Home > Auditing Best Practice > How Can Internal Audit Report Effectively to Its Stakeholders?

Auditing Best Practice

How Can Internal Audit Report Effectively to Its Stakeholders?

by Andrew Cox

Executive Summary

  • Internal audit has a range of stakeholders who rely on its work, seeking assurance that the organization is running well and that there are effective controls in place.

  • Internal audit has a responsibility to its stakeholders to provide reports on the operation of the organization’s risk management, control, and governance processes. It also has a responsibility to justify the value of its work and the organization’s spending on internal audit resources.

  • Internal audit can report on its work to its stakeholders by:

  • Together, these elements combine to provide stakeholders with an overall view of the effectiveness of internal audit; one without the other will only provide a partial reporting structure.


Internal audit has a variety of stakeholders who rely on its work. These include: the board of directors; the audit committee; the chief executive officer; senior executives such as the chief financial officer, chief information officer, chief risk officer, etc.; the external auditors; in some cases, regulatory bodies; and stockholders—who, in the case of government organizations, could be the public.

All these stakeholders are seeking assurance that the organization is running well, and that effective controls are in place and operating properly. Internal audit has an important role to play in providing assurance to these stakeholders, but the trick is how to report the results of its work to them effectively.

Assurance Models

Assurance can be equated with the term governance, the four pillars of a good corporate governance framework being—according to the Institute of Internal Auditors—executive management, the audit committee, external audit, and internal audit. Each of these elements relies to an extent on the others, and they all need to be operating effectively to provide overall assurance to stakeholders.

The board of directors will generally want to see a combined assurance model in place for the organization that provides three lines of defense, as shown in Table 1. This demonstrates the interdependencies between the four pillars of good corporate governance and the three lines of defense that go to make up a combined assurance model.

Table 1. Combined assurance model with three lines of defense

First line of defense Second line of defense Third line of defense
Management controls Management of risk Independent assurance
Real-time focus Real-time focus + review focus of 1st line Review focus of 1st and 2nd line
Elements Policies and procedures Internal controls Elements Risk management Legal department Elements External audit Internal audit
Role Review compliance Impplement improvements Role Comfirm compliance Recommend improvements  Role Independently confirm compliance Recommend improvements

Source: National Australia Bank, with amendment.

Back to Table of contents

Further reading


  • Australian National Audit Office (ANAO). Public Sector Internal Audit—An Investment in Assurance and Business Improvement. Canberra: ANAO, September 24, 2007. Online at:
  • Reding, K. F., et al. Internal Auditing: Assurance and Consulting Services. Altamonte Springs, FL: Institute of Internal Auditors Research Foundation, 2007.
  • Sawyer, Lawrence B., Mortimer A. Dittenhofer, and James H. Scheiner. Sawyer’s Internal Auditing: The Practice of Modern Internal Auditing. Altamonte Springs, FL: Institute of Internal Auditors, 2003.



Back to top

Share this page

  • Facebook
  • Twitter
  • LinkedIn
  • Bookmark and Share