Executive Summary

Financial institutions operate on trust. Whether the entity is a bank, financing company, lending company, pawnshop, money service business, payment service provider, investment firm, or other regulated financial institution, it must maintain accurate records, strong controls, reliable financial reports, and compliance with applicable regulations.

This is where internal audit and external audit become important.

An internal audit is an independent function within the organization that reviews internal controls, risk management, governance, operations, compliance, and process effectiveness. It helps management and the board identify weaknesses before they become regulatory, financial, or operational problems.

An external audit is conducted by an independent external auditor. Its main purpose is to examine the financial statements and issue an opinion on whether they are fairly presented in accordance with the applicable financial reporting framework. For financial institutions, external auditors also support market confidence, regulatory oversight, and corporate governance.

In the Philippines, regulated financial institutions may be subject to requirements from the Bangko Sentral ng Pilipinas, the Securities and Exchange Commission, the Anti-Money Laundering Council, the Bureau of Internal Revenue, the Insurance Commission, or other regulators, depending on the type of institution. BSP rules recognize internal control, compliance, and audit as part of sound governance for BSP-supervised financial institutions. The BSP also maintains a framework and list for selected external auditors of BSP-supervised financial institutions.

This guide explains the difference between internal and external audit, why both matter, and how financial institutions in the Philippines can use audit functions to reduce compliance risk, protect stakeholders, and strengthen long-term operations.

Why Audits Matter for Financial Institutions

Financial institutions handle money, credit, customer data, investments, remittances, payments, deposits, collateral, and financial records. A weak control environment can expose the institution to fraud, regulatory penalties, inaccurate reporting, money laundering risks, cybersecurity incidents, customer complaints, tax assessments, and reputational damage.

Audit helps reduce these risks.

An internal audit helps the institution look inward. It asks whether systems, controls, processes, policies, and people are working properly.

An external audit gives an independent view of the financial statements. It helps shareholders, regulators, creditors, investors, and the public assess whether the institution’s financial reports are reliable.

For financial institutions, both functions are necessary. Internal audit helps prevent and detect operational and compliance weaknesses. External audit helps confirm the reliability of financial reporting.

What Is Internal Audit?

Internal audit is an independent and objective assurance function within the organization. It helps the board and management evaluate whether internal controls, risk management, governance, and compliance processes are effective.

In simple terms, internal audit checks whether the institution is operating the way it should.

For a financial institution, internal audit may review loan approval processes, collection practices, cash handling, customer onboarding, anti-money laundering controls, cybersecurity procedures, branch operations, regulatory reporting, related party transactions, data privacy controls, and accounting processes.

Internal audit does not replace management. Management runs the business. Internal audit checks whether the business is being run with adequate controls and whether risks are properly managed.

In BSP-supervised financial institutions, internal control is treated as part of a broader governance framework involving the board, senior management, and personnel.

BSP materials describe internal control as a process designed to provide reasonable assurance on efficient operations, reliable financial and management information, and compliance with laws and regulations.

What Is External Audit?

External audit is performed by an independent auditor outside the organization. The external auditor examines the institution’s financial statements and issues an audit opinion.

The external audit focuses mainly on whether the financial statements fairly present the financial position, performance, and cash flows of the institution in accordance with the applicable accounting standards.

For financial institutions, external audit is especially important because regulators, lenders, investors, shareholders, and counterparties rely on audited financial statements.

The BSP has emphasized that external auditors contribute to safety and soundness by enhancing corporate governance and helping the public and investors make informed financial decisions.

For BSP-supervised financial institutions, the selection of external auditors may be subject to BSP rules and inclusion in the BSP list of selected external auditors. The BSP maintains a public list of selected external auditors for financial stability purposes.

Step-by-Step Guide: Understanding the Difference Between Internal and External Audit

Step 1: Understand the purpose of each audit

Internal audit focuses on improving the institution from within. It reviews controls, processes, risks, governance, compliance, and operations.

External audit focuses on the financial statements. It provides an independent audit opinion that helps users assess the reliability of the financial reports.

For example, internal audit may review whether loan officers are following credit approval policies. External audit may review whether loans, allowances, interest income, and disclosures are properly reflected in the financial statements.

Both are important, but they answer different questions.

Internal audit asks:

Are our controls and processes working?

External audit asks:

Are our financial statements fairly presented?

Step 2: Identify who performs the audit

Internal audit is performed by internal auditors or an outsourced internal audit service provider engaged to perform internal audit functions. Even when outsourced, the function should remain independent from the operations being reviewed.

External audit is performed by an independent external auditor or audit firm.

For regulated financial institutions, the external auditor should meet applicable regulatory qualifications. BSP-supervised financial institutions may need to engage an auditor included in the BSP’s list of selected external auditors, depending on the applicable category and institution type.

Step 3: Know who the audit reports to

Internal audit should have a direct reporting line to the board or audit committee. This protects independence and allows internal auditors to report issues without being blocked by management.

External auditors report through their audit opinion and communications with those charged with governance, such as the board or audit committee.

BSP corporate governance materials recognize the role of board-level committees and note that non-executive board members should meet regularly with the external auditor and the heads of internal audit, compliance, and risk management functions.

This reporting structure matters because audit is most effective when findings reach the right decision-makers.

Step 4: Compare the scope of review

Internal audit usually has a broader operational and risk-based scope. It may cover compliance, branch operations, loan processing, collections, cybersecurity, AML controls, data privacy, regulatory reporting, procurement, cash management, and fraud prevention.

External audit has a financial statement focus. It reviews accounting records, balances, disclosures, estimates, revenue recognition, impairment, provisions, and other matters affecting the audited financial statements.

For financial institutions, both scopes overlap in some areas. For example, both may examine loan accounts, impairment, cash balances, and controls. But the objective is different. Internal audit looks at control effectiveness. External audit looks at financial statement fairness.

Step 5: Understand timing and frequency

Internal audit is usually performed throughout the year based on an internal audit plan. High-risk areas may be reviewed more frequently.

External audit is usually conducted annually in connection with the audited financial statements, although interim reviews or special engagements may also occur.

Financial institutions should not wait for external audit season to discover control weaknesses. Internal audit should identify issues early enough for corrective action.

Step 6: Know the output of each audit

Internal audit usually produces internal audit reports addressed to management, the audit committee, or the board. These reports identify findings, risk ratings, root causes, recommendations, responsible persons, and target completion dates.

External audit results in an independent auditor’s report and audited financial statements. External auditors may also issue management letters identifying control observations.

For regulated entities, audited financial statements may be submitted to regulators. The SEC’s eFAST platform is used for filing reportorial requirements such as Annual Financial Statements and General Information Sheets, with certain special forms for regulated companies.

Internal Audit vs External Audit: Quick Comparison

Risks and Penalties

Weak audit systems can expose financial institutions to serious risks.

If internal audit is weak, management may fail to detect fraud, poor controls, unauthorized transactions, AML gaps, cybersecurity weaknesses, collection abuses, inaccurate reports, or regulatory violations.

If external audit is weak or delayed, the institution may face problems with audited financial statements, regulatory filings, bank requirements, investor due diligence, tax compliance, and public credibility.

Regulated financial institutions may also face regulatory consequences for late or inaccurate reportorial submissions, deficient governance, weak internal controls, or non-compliance with supervisory expectations.

For BSP-supervised financial institutions, external auditors are part of the broader governance and safety-and-soundness framework. The BSP maintains regulatory guidance on the selection of external auditors and a list of selected external auditors for supervised financial institutions.

For SEC-registered corporations, reportorial submissions such as audited financial statements and General Information Sheets may be filed through eFAST, and late or deficient filings may create compliance issues.

Practical Examples

Example 1: Lending company with weak credit approval controls

A lending company discovers that loan officers are approving loans without complete borrower documents.

Internal audit can review the loan approval process, identify control gaps, and recommend stronger documentation, approval limits, and monitoring procedures.

External audit may later review whether loan balances, impairment allowances, and disclosures are properly presented in the financial statements.

Both audits matter, but they serve different purposes.

Example 2: Pawnshop with cash handling risk

A pawnshop has several branches handling daily cash transactions.

Internal audit can perform branch audits, cash counts, transaction testing, and compliance checks to detect irregularities.

External audit will examine whether cash balances and related accounts are fairly stated in the audited financial statements.

Example 3: Financing company preparing for regulatory filing

A financing company needs to submit audited financial statements and other reportorial requirements.

External audit is needed for the AFS. Internal audit helps ensure that records, controls, loan documentation, collections, and compliance processes are reliable before external audit begins.

Example 4: Money service business with AML control gaps

A money service business handles remittances and fund transfers.

Internal audit can test customer due diligence, transaction monitoring, suspicious transaction escalation, and recordkeeping.

External audit may consider whether financial statement balances and disclosures are properly presented, but internal audit is usually better positioned to review day-to-day AML process effectiveness.

Example 5: Financial institution preparing for investor due diligence

An investor wants to review a financial institution’s governance, audited financial statements, compliance records, and internal controls.

External audit supports confidence in the financial statements. Internal audit reports show whether management actively identifies and fixes operational and compliance risks.

Together, they strengthen investor confidence.

Common Mistakes Financial Institutions Should Avoid

Mistake 1: Treating internal audit as a formality

Internal audit should not be limited to a checklist. It should be risk-based, independent, documented, and followed by corrective action.

Mistake 2: Confusing internal audit with accounting

Accounting records transactions. Internal audit tests whether controls, processes, and compliance systems are working.

Mistake 3: Relying only on external audit

External audit is important, but it is not a substitute for ongoing internal control review. External auditors usually focus on financial statements, not every operational and compliance risk.

Mistake 4: Hiring an external auditor too late

Financial institutions should plan early. Delayed audit preparation can lead to late filings, rushed schedules, and unresolved accounting issues.

Mistake 5: Ignoring audit findings

An audit finding is useful only if management acts on it. Financial institutions should track corrective actions and report progress to the board or audit committee.

FAQ Section

What is the difference between internal audit and external audit?

Internal audit reviews internal controls, risk management, operations, governance, and compliance. External audit examines the financial statements and issues an independent audit opinion.

Do financial institutions need both internal and external audit?

Yes, in practice, both are important. Internal audit helps detect and correct issues early.

External audit provides independent assurance on financial reporting.

Who does internal audit report to?

Internal audit should report to the board, audit committee, or appropriate governance body to preserve independence.

Who performs external audit?

External audit is performed by an independent external auditor or audit firm. For BSP-supervised financial institutions, the auditor may need to be included in the BSP list of selected external auditors, depending on applicable rules.

Is internal audit the same as compliance?

No. Compliance helps ensure adherence to laws, rules, and policies. Internal audit independently reviews whether compliance and control systems are working effectively.

Does external audit detect fraud?

External audit may detect fraud risks or misstatements, but its main purpose is to express an opinion on financial statements. Financial institutions should not rely on external audit alone for fraud prevention.

What should internal audit review in a financial institution?

Internal audit may review credit processes, collections, cash handling, AML controls, cybersecurity, data privacy, regulatory reporting, branch operations, accounting controls, and governance processes.

Why does audit matter for investors and regulators?

Audit supports trust. It helps show that the institution has reliable financial reports, effective governance, and stronger control systems.

Call-to-Action

Internal and external audits are not just compliance exercises. For financial institutions, they are essential tools for protecting trust, strengthening governance, managing risk, and satisfying regulators, investors, and stakeholders.

A strong internal audit function helps identify problems before they become serious. A reliable external audit supports confidence in the institution’s financial statements and public reporting.

Aureada CPA Law Firm assists financial institutions, financing companies, lending companies, pawnshops, money service businesses, startups, investors, directors, and compliance teams in regulatory compliance, internal control review, audit coordination, SEC and BSP compliance, AMLC coordination, BIR tax compliance, corporate governance, and risk management.

If your financial institution needs help reviewing audit readiness, governance, compliance gaps, or reportorial obligations, early legal and accounting guidance can help prevent costly regulatory issues and support sustainable growth.