EN ES
Request a consultation

Practice area

Internal audit.

Risk-based plans, fieldwork, and reporting that pass committee scrutiny. Co-sourced or fully outsourced, partner-led on every engagement.

The practice

An internal audit function that earns its seat at the table.

Internal audit is the third line. Treat it that way.

Internal audit is the function the audit committee turns to when they need an independent read on what is actually happening across the institution. Our practice is built for that: risk-based annual plans, fieldwork executed by people who have done the work being tested, reports that name what is broken and what to do about it.

We engage in three configurations: full outsourcing for institutions that have decided not to staff an in-house function; co-sourcing for institutions that have a CAE and need specialized subject-matter capacity (IT, AML, model risk); and quality assurance reviews — independent QARs against the IIA standards — for in-house teams.

What the audit committee gets is a partner. Not a deck. A partner who reads the workpapers, sits in the closing meeting, and writes the executive summary.

The work

The work in this practice, named.

  1. Risk assessment & annual plan An enterprise risk assessment that informs a one-year audit plan calibrated to the institution's risk profile and regulatory expectations.
  2. Fieldwork & testing Walkthroughs, control testing, substantive procedures. Executed by people who have run the function being audited.
  3. Reporting Findings ranked by severity, written for the audit committee. Three findings, not thirty.
  4. Issue tracking & remediation Validation that management's remediation actually closed the control gap — not just the ticket.
  5. Quality assurance reviews Independent QARs against IIA standards for in-house internal audit functions, every five years.
  6. Committee reporting Quarterly briefings, an annual report, and the conversations that happen in between.
A typical engagement

From risk assessment to committee read-out — six to nine months.

Phase Timing Deliverable
Risk assessment Weeks 1–3 Workshops with management; review of prior audits, examination reports, and operational losses; the annual plan is the deliverable.
Fieldwork Weeks 4–16 Audits executed on the agreed plan; biweekly status to the CAE; partner present at every closing meeting.
Reporting Weeks 16–22 Findings written, vetted with management, and presented to the audit committee. Severity ratings hold.
Tracking Ongoing Quarterly status on open findings; revalidation when management says a control is fixed.
Related practice areas