Standard-setters believe high-quality internal audit functions (IAFs) serve as a key resource to audit committees for monitoring senior management. However, regulators do not enforce IAF quality or require disclosures relating to IAF quality, which is in stark contrast to regulatory requirements placed on boards, audit committees, and external auditors. Using proprietary data, I find that a composite measure of IAF quality is negatively associated with the likelihood of management misconduct even after controlling for board, audit committee, and external auditor quality. This result is robust to a variety of other specifications, including controlling for internal control quality and separate estimation during the pre- and post-SOX time periods. A difference-in-differences analysis indicates that misconduct firms have low IAF quality and competence during misconduct years and improve IAF quality and competence in the post-misconduct years. These findings suggest that regulators, audit committees, and other stakeholders should consider ways to improve IAF quality.