Closing the Performance Gap in Auditing Practices

Audit Committees say they want more insight from Internal Audit, but they rarely spell out what that means in practice. Last week, I tested whether expectations of internal audit have shifted towards greater insight and strategic input. Just under half of respondents to my poll (47%) saw a clear change in expectations. Others said there was no follow-through, or voted that it was, mostly only talked about. 28% saw no material change at all, although one respondent explained that expectations had long been high. I put the same question privately to Chief Audit Executives and Audit Committee members. What came back was a consistent pattern. From CAEs, the message was that the pull towards greater insight exists, but it is uneven. In some organisations, internal audit is being brought into discussions earlier and used as part of management and board deliberations rather than purely for reporting. In others, only the language has moved, but not the reality. Audit Committee members described the same landscape. One spoke openly about frustration with internal audit functions that focus only on assurance. Another described the outcome as dependent on two things coming together at the same time: a board prepared to involve internal audit earlier and beyond pure assurance, and an internal audit function with the confidence, credibility, and judgement to operate there. When both are present, internal audit becomes a sounding board. Analysing the poll and DMs together, expectations are rising in some places, stalled in others, and sometimes expressed more as language than behaviour. This is a critical time - expectations could genuinely strengthen into common practice or just fade back into wishful language. So what is needed to make sure of the first outcome? Most internal audit reports already explain why a finding matters and what should be done. That is not the gap. The gap is strategic pattern recognition and it's early communication. By strategic pattern recognition, I do not mean another framework or methodology. I mean stepping back and looking across what is already known. That might involve reviewing recent audit work to see what keeps recurring across functions or geographies, examining how management responses are framed, or noticing where action is repeatedly deferred. It might also involve drawing in customer complaints, operational incidents, or risk events and considering what picture emerges when these signals are viewed together. This is the difference between reporting what happened and influencing what happens next. Individual findings inform. Patterns change priorities. None of this requires a new audit, a new framework, or a change in role. It requires judgement, and the discipline to act while the organisation is still receptive, rather than after the moment has passed.

After reviewing 100+ Internal Audits, I noticed one common mistake… Most companies treat Internal Audit as a compliance checkbox. Not as a business risk management tool. And that is where things start going wrong. Here are the 5 biggest internal audit gaps I see repeatedly: 1️⃣ No follow-up on audit findings Audit reports are submitted. Filed. Forgotten. Next year? The same observations appear again. An audit without follow-up is just documentation. ⸻ 2️⃣ Auditing the wrong areas Companies often audit low-risk processes because they are easier. But the real risks remain untouched, such as: • Vendor fraud • Data manipulation • Management override of controls • Weak IT access controls ⸻ 3️⃣ Internal Audit reporting to the wrong person If the Head of Internal Audit reports to the CFO being audited, independence is already compromised. Best practice: Internal Audit should report to the Audit Committee or Board. ⸻ 4️⃣ No risk-based audit planning Many companies follow a checklist audit approach. But not every process carries the same risk. Internal audit should focus on: • High-value transactions • Control-sensitive processes • Areas with fraud risk ⸻ 5️⃣ Treating auditors like enemies In the best organizations, internal audit is seen as a strategic advisor. Not a policing department. When management and auditors collaborate, organizations build stronger systems and better governance. ⸻ Internal audit done right = ✔ Fewer surprises ✔ Stronger internal controls ✔ Better management decisions Internal audit done wrong = false confidence that everything is fine. ⸻ I’m a Chartered Accountant specializing in Tax, Finance & Internal Audit. I share practical insights here that textbooks rarely teach. Follow CA Basant Agarwal for more insights. Question for professionals: What is the biggest internal audit gap you have seen in your organization?

Dear IT Auditors, The Concepts of Design, Implementation, and Operational Effectiveness in ITGC If your ITGCs pass the audit, ask a harder question. Do they still work on a bad day? This question exposes the gap between design, implementation, and operating effectiveness. 1. Design answers a simple question. Does the control address a real risk in the system environment? Many ITGCs fail here because teams reuse templates without mapping risks to architecture, data flows, or user behavior. 2. Implementation tests whether the control exists as designed. Roles assigned. Tools configured. Procedures approved. 3. Operational effectiveness proves the truth, and it is the hardest part. The control performs consistently over time, regardless of volume, exceptions, or change, as designed. It demonstrates that the control works every day, not just during audits. In audits I’ve led, most failures occurred at this stage, not because teams ignored controls, but because execution drifted quietly. 📌 Design links the control to a specific business and system risk 📌 Implementation confirms that people and tools follow the design 📌 Operating effectiveness proves consistency over time 📌 Evidence should show repeat performance, not one-time success, and not intent. Leaders who focus only on design or implementation gain false assurance without protection. Real assurance (Operating effectiveness) comes from controls holding up under pressure and change. Takeaway 👇 Controls earn trust only when they work on bad days. #ITAudit #ITGeneralControls #CyVerge #ITGC #InternalAudit #SOXCompliance #TechnologyRisk #AuditQuality #ControlTesting #GovernanceRisk #ITGovernance #Assurance

The Post-Audit CAPA Trap: Why fixing findings doesn't always fix systems The audit concludes. Findings arrive. The organization mobilizes. CAPAs are drafted. Tasks are assigned. Deadlines are set.  ... and then it repeats with the next audit. Why do organizations keep receiving similar findings despite diligently addressing each CAPA? The answer lies in a fundamental misunderstanding of what audit findings represent. They aren't isolated incidents - they're symptoms of system weaknesses. Most post-audit responses follow this pattern: 1. Create a 1:1 relationship between findings and CAPAs  2. Do not differentiate between correction, CA and PA, but: 3. Focus on immediate correction only 4. Define "effectiveness" as closing the CAPA (metrics!) 5. Treat each finding as unique rather than part of a pattern 💡 This approach creates an illusion of quality improvement while leaving system vulnerabilities intact. Consider this real example: A sponsor received findings about monitoring documentation. Their response? Retrain CRAs on documentation requirements. Six months later? Same issues, different studies. What was missing? A root cause analysis. The recognition that the monitoring process itself needed optimization - e.g., due to unrealistic timelines, insufficient review steps, and incompatible technology. Organizations that break the cycle approach findings differently - they analyse the underlying causes on a systemtic level and perform a diligent root cause analysis. • They look for patterns across seemingly unrelated findings • They trace problems to their origins in system design • They question underlying assumptions about processes • They measure effectiveness through prevention, not closure Next time you face audit findings, ask yourself these questions:  > What system allowed this to happen?  > What patterns exist across multiple findings?  > Which processes need redesign, not just correction?  > How will we know our system is truly improved? Because ... quality improvement isn't measured by corrections but by systemic improvement. What's your experience with the post-audit CAPA cycle? #QualityManagement #ClinicalResearch #InspectionReadiness 

This is the disconnect everyone in GRC deals with.  Controls operate continuously inside modern systems. Verification does not.   Verification waits for the audit calendar. That latency isn’t a tooling issue as much as an architectural gap in how evidence is produced. And this gives us a backward-looking administrative burden rather than a forward-looking risk management practice. Enterprises already have telemetry that describes control behavior. Cloud APIs, SaaS platforms, identity providers, logs, and CMDB sources produce signals about access, configuration, deployment, and change. The data exists in real time. But compliance workflows consumes it in long intervals. Raw system data isn’t useful to auditors. It must be translated into evidence for a specific control and a specific framework. That translation layer is missing in most environments. When it’s missing, compliance becomes a reconstruction exercise. This translation cannot be a 'black box.' Security logic must be transparent, allowing teams to codify custom rules for both cloud-native and legacy on-prem systems. But once that translation is codified, evidence can be generated continuously. Exceptions surface earlier, while the context for remediation still exists. Audit preparation becomes review instead of archaeology. GRC teams spend less time collecting artifacts and more time interpreting control performance. It becomes possible to answer board questions with current evidence instead of stale snapshots. This translation layer shouldn't be another silo. We have enough of those already. It needs to be an extensible engine that enriches the existing system of record – the GRC platforms enterprises have already invested in – turning these static GRC platforms into dynamic command centers.  .  True assurance must also bridge the human gap. That is, turn episodic manual checks into collaborative workflows that capture evidence in the flow of work. This ensures that even non-technical controls maintain the same tempo as the system's telemetry. The outcome is compliance aligned to the tempo of systems.  Assurance becomes a standing condition rather than an episodic event. The business gains continuous confidence from how operations already function, instead of layering assurance on after the fact. 

The Control Evaluation Framework No One Teaches You Before you test any control, pause. Strong auditors don’t start with steps. They start with framing. Here’s the framework I now use for every control regardless of type. Step 1: Define the Risk Boundary Ask: - What system, process, or population is actually in scope? - What is explicitly included? - What is implicitly excluded? Most audit gaps don’t come from bad testing. They come from testing the wrong boundary. Step 2: Understand Where the Risk Lives Ask: - Where could this process fail? - At which point would failure actually matter? - What would the impact look like if this control didn’t operate? If you can’t describe failure clearly, you don’t yet understand the risk. Step 3: Map the Control to the Risk (Not the Template) Ask: - What exactly is this control preventing or detecting? - Which part of the risk does it address? - What part does it not address? Controls are rarely as broad as their descriptions suggest. Step 4: Evaluate Scope Before Evidence Ask: - Who performs this control? - For which systems, modules, users, or scenarios? - Is that scope realistic for meaningful judgment? A control can operate correctly and still leave risk untouched. Step 5: Decide What Evidence Would Actually Convince You Ask: - If I were skeptical, what would I need to see? - What evidence would prove the risk is mitigated? - What evidence would only look good on paper? Only now should test steps exist. Step 6: Test Execution. Last Steps are not the work. They’re the final expression of thinking. Judgment → Scope → Risk → Evidence → Steps Never the reverse. The Real Takeaway You can test a control perfectly and still miss the risk entirely. That doesn’t mean the control failed. It means the framing did. That’s the difference between executing audit work and actually auditing. #itaudit #audit #security #risk

Does your last audit feel like it was designed for the modern era? For most teams, the answer is still no. Over the past few years at Thoropass, Eva Pittas, Austin Ogilvie 🗽, and I kept seeing the same disconnect: Compliance automation moved fast. Audit workflows did not. While platforms helped teams monitor controls in near real time, the audit itself remained slow, manual, and fragmented - built for a world that no longer exists. The result? More pressure on auditors, more work for customers, and too often, a tradeoff between speed, rigor, and cost. That’s why today I’m excited to share our latest thinking on Thoropass as the End-to-End Cybersecurity Auditor, and how we’re closing that gap by rebuilding the audit experience for the AI era. In the article, we cover: -Why traditional audit workflows don’t scale for modern, real-time organizations -How GenAI can transform core audit fieldwork without sacrificing rigor -Why audits must work seamlessly across the broader compliance and GRC ecosystem -How capabilities like Smart Sort AI let evidence flow directly into the audit, no matter where it originates This isn’t about “doing audits faster.” It’s about doing them better: with more consistency, stronger judgment, and higher trust. All while eliminating the manual work that never should’ve existed in the first place. We believe the future of cybersecurity audits is end-to-end, AI-powered, and human-supervised. And we’re just getting started. 👉 Read the full piece here: https://bit.ly/4bqNTaB

External audit tomorrow. You know there are gaps. Wrong move: Panic. Hide issues. Hope auditor doesn't find them. Smart move: Control the narrative. Pre-audit email to auditor: "Welcome tomorrow. To help with audit efficiency, here are known improvement areas we're actively addressing: [Issue] - Corrective action in progress, completion date [X] [Issue] - Budget approved, implementation timeline [Y] [Issue] - Root cause identified, preventive action plan attached Happy to discuss our improvement roadmap during the audit." Here's what this does: You found the problems first. You're already fixing them. Auditor sees proactive culture, not hiding culture. Every audit-smart QA professional knows: Auditors punish surprises and defensiveness. They reward transparency and action. The audit formula: - Find your own gaps before auditor does - Have action plan ready - Show timeline and resources - Present as continuous improvement, not failure Result: Minor observations instead of major non-conformities. Audit report says: "Strong improvement culture observed." Not: "Multiple violations discovered." Same problems. Different narrative. Different result.