Building Trust Through Audit Processes

T.R.U.S.T. - the Internal Audit Framework for the AI Era In these most fascinating of times trust is no longer a vague virtue. It is an audit framework. Not trust as a slogan. Not trust as a value on a wall. Trust as a framework for assurance. Every board, executive, regulator and customer is asking the same basic question: Can we trust this system enough to use it, rely on it and defend it? I would have thought that Internal Audit is uniquely placed to answer that question. T.R.U.S.T. T - Traceability If an AI-generated answer, recommendation or action cannot be traced, it cannot be properly audited. Internal Audit should be asking: what data fed this, what model produced it, what prompts shaped it, what controls were applied and what evidence trail exists? R - Responsibility AI does not remove accountability. It can often obscure it. Who still owns the process, the control failure, the customer impact and the regulatory and reputational exposure? Trust collapses quickly when responsibility becomes blurred. U - Understandability A system that cannot be explained will eventually be resisted, misused or over-trusted. Internal Audit should not demand perfect technical explainability in every case, but it should demand enough clarity for human challenge, governance and escalation. S - Safeguards Trust without control is theatre. Access controls, data protections, override rules, bias checks, incident response, model governance and usage boundaries are no longer optional extras. They are the scaffolding of trustworthy AI. T - Testing The biggest mistake organisations will make is assuming that because an AI tool worked last quarter, it is still reliable now. AI must be tested continuously: before use, during use, after change and when context shifts. ** The future of Internal Audit is not just about using AI to make us quicker nor even to be auditing AI (I am always amazed how many teams dont see that second part as their responsibility!). It is helping organisations build, test and sustain trust in systems that now shape decisions at speed and scale that we can't even begin to imagine. In the AI era, trust is not a feeling. It is evidence.

Did you know that weak measurement and verification systems can undermine the credibility of entire sustainability and climate programs? Recent analysis by Senken of more than 2,300 carbon projects found that in some categories, fewer than 16% of issued carbon credits corresponded to real emission reductions, highlighting the risks of inadequate monitoring and verification systems. At the same time, global climate finance and carbon markets depend on rigorous Measurement, Reporting, and Verification (MRV) processes; because one verified carbon credit represents one tonne of greenhouse gas emissions reduced or removed, a unit that governments, investors, and institutions rely on to track real progress. These numbers reinforce a simple but critical lesson: credibility in sustainability is built on systems, not promises. In practice, this means investing in robust monitoring frameworks, conducting independent compliance audits, and ensuring that data can withstand scrutiny from regulators, financiers, and stakeholders. Organizations that prioritize these systems are not only better prepared for evolving disclosure requirements, they are also better positioned to attract investment, manage risk, and deliver measurable impact. As sustainability expectations continue to rise globally, the institutions that will lead are those that understand that accountability is not an administrative requirement; it is a strategic asset. Because in sustainability and climate action, what gets measured, verified, and audited is what ultimately builds trust and delivers lasting results.

🔍 What does AUDIT really mean? It’s not just about numbers or financial statements — it's a structured approach to enhancing governance, risk management, and internal controls. Let’s rethink AUDIT as a strategic function, broken down into five key pillars: A – Assess We evaluate processes, systems, and controls to identify gaps, inefficiencies, and emerging risks across all areas of the organization — not just finance. U – Understand Auditors need to understand the business, its operating environment, and the regulatory landscape. Without context, findings lack relevance. Deep understanding drives meaningful insights. D – Document We record our observations, analyses, and procedures to ensure transparency, accountability, and continuity. Good documentation builds credibility and supports future decision-making. I – Inspect We examine evidence, challenge assumptions, and test internal controls — all with a focus on safeguarding assets, improving efficiency, and supporting organizational objectives. T – Test Finally, we test the design and effectiveness of controls to ensure compliance, reduce risk, and confirm processes are working as intended. 🛡️ Internal audit is not just about finding problems — it’s about enabling improvement, building trust, and strengthening the foundation of the organization. Let’s view audit as a partner in progress, not a checkpoint. #InternalAudit #Governance #RiskManagement #Controls #AuditProfession #ContinuousImprovement #BusinessIntegrity #StrategicAudit #TrustThroughAudit

Building an Internal Audit function from scratch teaches you something quickly. The hardest part is not hiring the team. It is convincing people the function actually matters. Early on you hear things like: “Do you actually understand how the business works?” “We’re trying to grow the business and audit is getting in the way.” “We run a tight ship. There are no problems here.” You mention controls and see a few head shakes. You talk about risks and someone visibly rolls their eyes. Sometimes it is even quieter than that. - Meetings declined. - Emails unanswered. If you are in audit long enough you realise something. People often see you as the person sent to find mistakes not help the business succeed. What changed things for me was not pushing harder. It was changing the approach: - Listen first – understand what the business actually worries about. - Keep it simple – strong controls support growth they do not block it. - Focus on value – helping spot risks early before they turn into big problems. Over time the perception shifts. Good internal audit is not about catching people out. It is about helping organisations move forward with fewer surprises. Curious how others have built trust in Internal Audit? #InternalAudit #RiskManagement #Leadership

Dear IT Auditors, What Makes a Strong IT Audit Function Every organization depends on technology. But few truly understand how much risk hides in their IT environments. That’s where a strong IT Audit function makes the difference. It’s not about catching mistakes. It’s about ensuring reliability, trust, and resilience in how technology supports the business. 📌 Clear Audit Strategy Your IT audit plan must align with business priorities. It should focus on areas with the highest impact on operations, data, and compliance. 📌 Skilled and Informed Team Strong IT auditors understand both controls and technology. They can explain vulnerabilities in plain terms that management understands and acts on. 📌 Defined Governance and Independence A strong function sits independently of IT operations. Independence allows auditors to assure without influence or bias. 📌 Integrated Risk-Based Approach Audits should start with risk assessment. Each engagement must trace back to business risk. 📌 Effective Use of Technology Use data analytics, automated testing, and visualization tools. They help detect control failures early and validate evidence faster. 📌 Quality Communication and Reporting Audit reports must drive decisions. Use clear, concise findings linked to risk. Avoid jargon. 📌 Continuous Learning and Improvement Regulations, threats, and technologies change fast. The audit function must evolve with them. The strongest IT Audit functions don’t wait for problems. They anticipate risk and deliver insights that build organizational confidence. #ITAudit #AuditLeadership #GRC #RiskManagement #Assurance #InternalAudit #AuditQuality #TechGovernance #ITControls #AuditExcellence #CyberVerge #CyberYard

After being in the audit industry for many years, one thing is clear: First impressions matter in the compliance industry……. Having performed many audits, both onsite and virtual, I can quickly tell whether a company will smoothly navigate the process or struggle through it. There are clear signs, and you can absolutely prepare for them. Here’s a simple six-point checklist I share with anyone who wants their audit to feel like a strategic review instead of a stressful test: 1. Share Your Compliance Documents Early Send your latest compliance documents (like QMS, FDA, and ISO certifications) at least one week before the audit. A good QMS should reflect consistent updates, showing that your procedures are evolving and not stagnant. 2. Show How You Track Regulatory Changes Include a list of any important regulatory changes (like FDA or ISO updates) since the last review. Highlight how you stay updated, through newsletters, regulatory bodies, or industry guidelines. 3. Give a "What Changed" Briefing Talk about any major changes like staffing shifts, product updates, or market feedback from the last year. This helps the auditor focus on the key changes, instead of wasting time finding them. 4. Have Top Management Participate Have your CEO or site leader attend the opening, closing, and management review sections. Their involvement demonstrates commitment and helps speed up decision-making during the audit. 5. Keep a Simple CAPA List Maintain a single list or document that includes all internal CAPA actions, past audit findings, and significant events. This single source of truth builds trust and avoids confusion. 6. Have Your Post-Market Files Ready Ensure all relevant post-market documents (PSURs, complaint data, FSCA logs) are organized and easy to access. When your team is prepared, the tough questions from auditors feel more like confirmation rather than confrontation. Why should you invest time upfront? It makes the audit go smoothly with fewer “please provide” moments. It also builds a good reputation with regulators, making future audits easier. Auditors and quality teams: What single practice gives you a confident start?

Heading into the Holiday week, I want to share another learning from the Compyl GRC Your Way tour with AJ Yawn. Trust in GRC is built through transparency, not promises. This is something Michael Skidmore asked about in a comment on one of my posts a few weeks back, and it’s a theme that came up in most cities while talking directly with GRC professionals. The most confident practitioners weren’t asking for bigger claims or more polished dashboards. Instead, they were asking: - Where is this data coming from? - What assumptions were made? - When was it last updated? - What’s automated versus manually asserted? - How would I explain this to an auditor or to leadership? In those conversations, trust wasn’t created by saying, “Yes, this is compliant.” It was created by being able to clearly explain how that conclusion was reached. The GRC professionals feeling the most frustration were often the ones with answers, but not clarity. They had outputs, but couldn’t easily trace them back to evidence. Seeing this play out repeatedly reinforced something important… Great GRC programs are transparent by design. When practitioners can see, explain, and defend their work, trust follows, and friction disappears.

An audit should never be viewed merely as a search for mistakes, but rather as a strategic opportunity to enhance an organization’s overall performance. Instead of focusing solely on identifying faults, a well-conducted audit shines a light on areas where processes can be strengthened and risks can be minimized. This shift in perspective transforms the audit from a feared obligation into a proactive measure for safeguarding the company’s future. When approached with an open and collaborative mindset, audits provide valuable insights into operational gaps and inefficiencies. They help management understand where improvements are needed, whether in financial controls, compliance practices, or internal procedures. These findings serve as a roadmap for continuous improvement, enabling teams to implement stronger systems that promote accuracy, transparency, and resilience. Ultimately, audits build trust—both internally and externally. Employees gain confidence in the integrity of their work, while stakeholders, investors, and customers see a company committed to accountability and growth. By treating audits as learning opportunities rather than fault-finding missions, organizations not only strengthen their processes but also foster a culture of transparency and long-term success. An audit, when embraced positively, becomes a key driver of progress and sustainable development. #AuditInsights #ContinuousImprovement #ProcessExcellence #BusinessGrowth #InternalControls #RiskManagement #Transparency #Accountability #OrganizationalDevelopment #TrustBuilding #LearningCulture #FinancialIntegrity #BusinessSuccess #PositiveMindset #CorporateGovernance.

🔍 Understanding Trust Principles in Audit: Why They Matter More Than Ever:- In today’s digital-first environment, trust is no longer assumed. It is audited, tested, and evidenced. In assurance engagements, particularly SOC reports and IT audits, this trust is evaluated through the AICPA Trust Services Criteria (TSC), often referred to as the Trust Principles. These principles form the foundation for assessing whether systems are designed and operating effectively. Here’s a breakdown of the five core trust principles and their practical relevance: 🔐 1. Security (Mandatory for SOC 2) Ensures systems are protected against unauthorized access, both logical and physical. This includes: - User provisioning and deprovisioning - Privileged access management - Authentication (SSO, MFA) - Logging, monitoring, and incident response - Change management This is where IT General Controls (ITGCs) play a critical role. ⏱️ 2. Availability Focuses on whether systems are available as committed or agreed. Key considerations include: - System uptime and performance monitoring - Backup procedures - Disaster Recovery (DR) and Business Continuity Planning (BCP) - Capacity management 🧮 3. Processing Integrity Ensures system processing is complete, accurate, timely, and authorized. Auditors typically evaluate: - Input, processing, and output controls - Error handling and reconciliations - Change controls impacting business logic 🔒 4. Confidentiality Protects information designated as confidential. Common audit areas include: - Data classification - Encryption (at rest and in transit) - Restricted access to sensitive data - Secure data disposal 👤 5. Privacy Addresses how personal information is collected, used, retained, and disposed of in line with privacy commitments. Includes: - Privacy notices and consent - Data retention and deletion - Regulatory compliance (for example GDPR, CCPA) 💡 Why this matters For organizations, these principles are not just compliance requirements. They are signals of reliability and credibility to customers, regulators, and stakeholders. For auditors and risk professionals, they provide a structured lens to assess whether technology truly supports business objectives while managing risk. As systems grow more complex and interconnected, trust is built through controls, evidence, and transparency, not assumptions. Would love to hear how others are seeing these principles applied in real-world audits and SOC engagements. Kalesha & co #Audit#ITGC#SOCReports#TrustServicesCriteria#RiskManagement#CyberSecurity#Assurance#InternalControls

Building an Internal Audit Function from Scratch Establishing an Internal Audit (IA) function where none existed is both a challenge and an opportunity. Reporting directly to the CEO without an Audit Committee (AC) means you are laying the foundation for governance, risk management, and internal controls. 1. Understand the Organization Start by learning the business strategy, key processes, and stakeholder expectations. Without this context, controls and audit plans risk being misaligned. 2. Assess Risks & Controls Identify strategic, operational, compliance, and financial risks through interviews, walkthroughs, and reviews of policies and KPIs. This provides a clear picture of vulnerabilities and gaps. 3. Develop a Risk-Based Internal Audit (RBIA) Plan Prioritize areas with the highest risk and break processes into auditable sub-processes (e.g., procurement → vendor onboarding → payments). Keep the RBIA dynamic, updating it as the business evolves. 4. Define the Audit Charter & Structure Formalize IA’s mandate, scope, and independence. Create clear reporting and escalation lines to ensure transparency in the absence of an AC. 5. Build Trust & Credibility Start with quick wins that deliver immediate value. Communicate openly and constructively. Collaborate with process owners to co-create solutions. Continuously adapt to feedback and business needs. Final Thoughts Launching IA from the ground up requires vision, influence, and strong technical expertise. By aligning with organizational goals and delivering value early on, IA can become a trusted partner and a key pillar of governance. Have you ever been part of building an internal audit function from scratch? What lessons did you learn along the way? #InternalAudit #RiskManagement #Governance #RBIA #Leadership