Lessons Learned from Corporate Audits

I used to think Internal Audit was my enemy. I was wrong. Early in my career as a CISO, I treated the Internal Audit team like a high-stakes exam I had to "pass." My strategy was simple: Provide the bare minimum information. Defend every "finding" as if my life depended on it. Treat the final report as a grade on my personal performance. Then came the audit that changed everything. We had a significant finding regarding our third-party risk management. My first instinct? Defensiveness. I had a 10-slide deck ready to explain why the auditor didn't "understand the technical context." But instead of presenting it, I stopped. I asked the auditor: "What is the actual business risk you're seeing here?" The answer wasn't about the tech; it was about a gap in our vendor termination process that could lead to a massive compliance fine—something I had been trying to get budget for but couldn't justify. That’s when it clicked. Internal Audit wasn't there to catch me making a mistake. They were there to provide the independent validation I needed to get the Board’s attention on critical gaps. Here are 3 things I learned that changed my relationship with IA: Be transparent about your "Known Gaps": If you know something is broken, tell them. They can help you document the risk and the path to remediation, which often helps you secure the necessary resources. Standardize your "Evidence Locker": Don't scramble for screenshots during an audit. Build a culture where evidence is collected as part of the daily workflow. Internal Audit is your megaphone: They have a direct line to the Audit Committee and the Board. If you want a security project prioritized, having it listed as a "finding" in an audit report is often the fastest way to get it funded. Today, my relationship with IA is a partnership. We align on the audit plan before it starts, and we treat findings as a shared roadmap for maturity. CISOs: Stop fighting your auditors. They are the best allies you have for building a resilient organization.

Early on in my auditing career at Deloitte, I learned a valuable lesson that has stuck with me ever since. It's a big reason why I became a successful CFO and consultant. Here it is: We never started audits by just checking the numbers.   Instead, we focused on the processes behind those numbers.  📌 Why?   Every number in a financial statement comes from a business process.   If that process is flawed, the numbers might be inaccurate—or worse, fraudulent.  Imagine I’m auditing a company with $20M in reported sales.   If I only match invoices to revenue, I’ve missed the bigger picture.  There are so many invoices I can vouch anyway I still won't see anything. Or I see what the invoices want me to see. Even if I did find something on a small sample, projecting it to the wider population always seems like a massive overreach ✔️ Instead, I ask:   🔹 How do they take and fulfill orders?   🔹 How do they bill customers?   🔹 What controls ensure accurate billing, collection and reporting?  📌 I walkthrough contracts, shipping documents, and bank statements to verify activity.  🚀 By focusing on the underlying process, I can:   ✅ Identify risk areas and gaps in controls.  (this then becomes the focus of the audit) ✅ Benchmark against industry best practices.   ✅ Help businesses increase revenue or reduce inefficiencies. Even though I’m no longer an auditor, this lesson still shapes how I advise businesses today.  My message here (particularly to SME Accountants): 👉 Don’t just record numbers.   Understand the "Why" and "How" behind them.  💡 Ask yourself: ✔️ Where does this data come from?   ✔️ How do our systems ensure the completeness and accuracy of the data?   ✔️ How can we reduce errors and improve decision-making?  When you optimize financial processes, you don’t just track business performance You improve it.  🚀 Step out of the ledger. Step into business impact.   📊 Your value isn’t just in recording numbers—it’s in improving the processes that create them.  Cheers, Ajibola 🔄 Tag a finance professional who needs this mindset shift!  

🤔 Audit Reports That Drive Change: How to Tell if Findings and Recommendations Are Actually Good Executives rely on audit to surface risk, flag weak controls, and improve operations. But not all audit reports are equal. Some lead to lasting change. Others fade after a status meeting. So how do you evaluate whether the findings and recommendations are actually good? Here’s what to look for—or deliver: 🔍 1. The Finding Identifies the Root Cause, Not Just the Symptom A symptom says what happened. A good finding reveals why it happened—and what systemic weakness allowed it. Executives: don’t settle for shallow descriptions. Auditors: dig until the “why” is clear. 📊 2. The Finding Is Material and Risk-Aligned Does this issue matter to the business? Effective audits prioritize based on impact—financial, operational, legal, or reputational. A finding no one would act on isn’t insight. It’s noise. 💡 3. The Recommendation Is Practical and Targeted “Improve controls” is vague. “Require dual authorization for expenses over $10K using [system]” is clear. Good recommendations are: → Specific → Implementable → Assigned to a business owner → Backed by cost-benefit rationale 🔄 4. There’s a Clear Link Between the Finding and the Fix Weak audits present mismatched recommendations. Each recommendation should directly respond to its related finding—with logic that ties them together. 🧠 5. Both Are Framed in Business Terms Executives shouldn’t need a glossary. Auditors: avoid jargon, and explain both issues and fixes in operational language. ✅ 6. There’s a Plan for Ownership, Monitoring, and Follow-Up A good recommendation becomes a business improvement initiative—with timelines, accountability, and KPIs. Executives: make follow-through part of your performance culture. Auditors: follow up and escalate if remediation stalls. 🤝 7. The Process Builds Trust, Not Fear Findings and recommendations should invite collaboration—not resistance. Well-framed audit insights make the business stronger, not just “safer.” 💬 Whether you’re on the giving or receiving end of an audit report, this is the test: Does this help us manage risk and improve how we work? If not, the finding may be shallow—or the recommendation may be off-target. Strong audit work is a value driver. Weak audit work just adds to your inbox. ⚡ Comment and connect. #InternalAudit #Governance #AuditExcellence #ExecutiveLeadership #RootCause #RiskManagement #CAPA #AuditFindings #BusinessImprovement #CARMAFramework #DealDoctor

How did 1 year look like in internal audit at a Big4? Note: Experiences may differ. To help you understand the kind of exposure one can get, I have shared the 4 core projects I spent ~75% of my time on. Each had different scopes, challenges and learning outcomes. (all manufacturing clients) 1. Price Supplementary & Logistics Audit (Audited pricing changes, logistics data and CTO checks): Heavy manual punching from PDF to Excel – built early Excel shortcuts; 2-week outstation audit across 3 plants – attended opening meetings, understood how field audits differ from remote ones; limited client talk at HO but meaningful exposure at plants; saw how audit checklists are implemented physically; absorbed audit mindset from seniors – how to test, replicate, and present findings cleanly. 2. Manpower Audit (Audited headcount, attendance, payroll controls): First time seeing client disagreements; taught me how seniors respond to resistance with calm and facts; identified major finding involving overtime misuse; used Power BI for heavy data – visualized anomalies in data, but still had to manually verify with physical records; tight deadlines before final meetings taught me focus under pressure; learned how observations need backing, not just assumptions. 3. Spare Parts Division Audit (Audit scope: procurement, warehousing, dealer incentives): Joined mid-audit – needed 1–2 weeks to catch up on past discussions; performed testings, peer reviews, closing file work; first time giving review comments and receiving feedback on mine; interacted with mid-level client staff – understood how audit tone shifts based on level; explored Alteryx for workflow automation – basic but eye-opening on how tech fits into audit; best mix of autonomy and learning – not new, not too senior; realized how documentation, communication, and teamwork drive a smooth close; favorite audit of the year. (learnt why seniors fear reviews!) 4. Compliance Audit (FEMA & Customs): Audit focused on regulatory filings; reviewed filings, policy adherence, import/export documentation; used AI tools to summarize provisions, minimal Excel compared to others; interacted with senior – observed how findings are communicated differently at that level; relaxed audit timeline, but required depth of understanding; a little less worried about IDT now. Apart from finance, I do not think there was any business process I did not at least get some exposure to. I was trained heavily in Excel, BI and used AI extensively during audits, and even got to try Alteryx to build simple workflows. For anyone still unsure about this domain – I hope this helps bring some clarity. Yes, as a first-year article, a lot of what I did was manual and repetitive at times – but that should not be a deciding factor in choosing or rejecting internal audit. That kind of work exists in every domain you enter. What matters more is what you make of it.

𝗜𝗳 𝘆𝗼𝘂 𝗴𝗮𝘃𝗲 𝗺𝗲 𝟯𝟬 𝗺𝗶𝗻𝘂𝘁𝗲𝘀 𝘄𝗶𝘁𝗵 𝗮𝗻 𝗮𝘂𝗱𝗶𝘁 𝗰𝗼𝗺𝗺𝗶𝘁𝘁𝗲𝗲, 𝗜 𝘄𝗼𝘂𝗹𝗱 𝗻𝗼𝘁 𝗿𝗲𝘃𝗶𝗲𝘄 𝘁𝗵𝗲 𝗺𝗶𝗻𝘂𝘁𝗲𝘀. 𝗜 𝘄𝗼𝘂𝗹𝗱 𝗮𝘀𝗸 𝗳𝗼𝘂𝗿 𝗾𝘂𝗲𝘀𝘁𝗶𝗼𝗻𝘀. Minutes record what already was discussed without looking for context or quality of the discussion. What I look for is whether the questions in that room were the right ones. In many of my investigations, the audit committee did exist. The difference was in how numbers were actually looked at. These four questions usually reveal that. 𝟭. 𝗗𝗼 𝘆𝗼𝘂 𝗵𝗮𝘃𝗲 𝗮𝗰𝗰𝗲𝘀𝘀 𝘁𝗼 𝗱𝗮𝘁𝗮 𝗯𝗲𝘆𝗼𝗻𝗱 𝘄𝗵𝗮𝘁 𝗺𝗮𝗻𝗮𝗴𝗲𝗺𝗲𝗻𝘁 𝗽𝗿𝗲𝘀𝗲𝗻𝘁𝘀? If the answer is no, the committee is reviewing a curated version of reality. Oversight without independent data access can’t be oversight at all; at the best its ratification. 𝟮. 𝗛𝗼𝘄 𝗱𝗼 𝘆𝗼𝘂 𝗱𝗲𝗳𝗶𝗻𝗲 𝘁𝗵𝗲 𝗿𝗼𝗹𝗲 𝗼𝗳 𝘁𝗵𝗲 𝗲𝘅𝘁𝗲𝗿𝗻𝗮𝗹 𝗮𝘂𝗱𝗶𝘁𝗼𝗿? If the answer includes fraud detection, there is a fundamental misunderstanding of the mandate. The Standards on Auditing are clear on this. Audit committees that rely on the external auditor to catch fraud have an assurance gap they may not know exists. 𝟯. 𝗛𝗼𝘄 𝗺𝘂𝗰𝗵 𝘁𝗶𝗺𝗲 𝗱𝗼 𝘆𝗼𝘂 𝗮𝗰𝘁𝘂𝗮𝗹𝗹𝘆 𝘀𝗽𝗲𝗻𝗱 𝗿𝗲𝘃𝗶𝗲𝘄𝗶𝗻𝗴 𝗮𝗻𝗱 𝗰𝗵𝗮𝗹𝗹𝗲𝗻𝗴𝗶𝗻𝗴? A committee that meets for 90 minutes before the full board, reviewing 200 pages distributed 48 hours earlier, cannot exercise meaningful scrutiny. The architecture exists, but not the time required to use it. This was very evident in research I did for the listed companies. 𝟰. 𝗪𝗵𝗮𝘁 𝗲𝘅𝗽𝗲𝗿𝗶𝗲𝗻𝗰𝗲 𝗱𝗼𝗲𝘀 𝘁𝗵𝗲 𝗰𝗼𝗺𝗺𝗶𝘁𝘁𝗲𝗲 𝗵𝗮𝘃𝗲 𝗶𝗻 𝗱𝗲𝗮𝗹𝗶𝗻𝗴 𝘄𝗶𝘁𝗵 𝘀𝗶𝘁𝘂𝗮𝘁𝗶𝗼𝗻𝘀 𝗶𝗻𝘃𝗼𝗹𝘃𝗶𝗻𝗴 𝗳𝗶𝗻𝗮𝗻𝗰𝗶𝗮𝗹 𝗺𝗮𝗻𝗶𝗽𝘂𝗹𝗮𝘁𝗶𝗼𝗻? Financial qualification and investigative experience are built through different careers. Most audit committees are composed entirely of the former. Experience of how manipulation actually appears in numbers is less common. That perspective, often described as a forensic lens, is usually developed through investigation. Its absence is a structural gap worth examining. Four questions. Thirty minutes. Sometimes that is all it takes to see where the gaps are. 𝗜𝗻 𝘆𝗼𝘂𝗿 𝗲𝘅𝗽𝗲𝗿𝗶𝗲𝗻𝗰𝗲, 𝘄𝗵𝗶𝗰𝗵 𝗼𝗳 𝘁𝗵𝗲𝘀𝗲 𝗳𝗼𝘂𝗿 𝗶𝘀 𝘁𝗵𝗲 𝗵𝗮𝗿𝗱𝗲𝘀𝘁 𝘁𝗼 𝗴𝗲𝘁 𝗿𝗶𝗴𝗵𝘁? #AuditCommittee #CorporateGovernance #FraudRisk #RiskManagement #FinancialReporting #ForensicForesight #Compliance

Over the years, I’ve learned that the most valuable insights don’t just sit in reports—they emerge from conversations. Audits that truly drive impact don’t happen because we asked more questions; they happen because we asked better ones. That’s why my team and I dedicate time to engaging with stakeholders at every level. We’ve found that the most powerful questions: Challenge assumptions – Are we following this process because it works, or just because it’s always been done this way? (We recently found a control weakness buried under a “legacy” practice—one no one had questioned in years!) Reveal blind spots – What risks are hiding in plain sight? (One of our audits uncovered language barriers in employee surveys, leading to 72% of workers being unintentionally excluded from providing feedback!) Drive meaningful conversations – How can we turn compliance into a strategic advantage? (I’ve seen firsthand how shifting the conversation from “compliance burden” to business enabler opens doors for better governance.) This is why I see internal audit as more than just oversight—it’s a catalyst for innovation. This year, my focus has been on reinforcing our role as trusted business partners. Moving from checklists to collaborative discussions. Turning audits from a retrospective exercise into a forward-looking strategy. Ensuring our insights don’t just highlight risks—they drive value. And it all starts with asking the right questions. #InternalAudit #RiskManagement #Leadership #StrategicValue

India is taking corporate governance more seriously than ever, from tighter SEBI oversight to growing investor expectations, it’s clear — governance is no longer optional. It’s foundational.   Despite this national shift, many companies — even well-established ones — continue to delay audits, defer accountability, and underestimate the long-term cost of weak internal systems.   As a founder, watching this unfold pushed me to ask: How can we do better — and do it early?   At EndureAir Systems Pvt. Ltd., our journey has been a steep learning curve:   📌 FY 22-23: It took us 6 months to close the books. 📌 FY 23-24: We brought it down to 3 months. 📌 This year? We completed our audit and closed the books in just 15 days.   Not because we rushed, but because we were ready.   That’s what happens when you invest in internal structures that are on par with the external controls expected of you.   Here’s what I’ve learned along the way:   1️⃣ Start early Build your governance muscle before you're forced to. It saves a lot of pain later. 2️⃣ Embed it in your culture Governance isn’t a department — it’s a mindset that should run across every function. 3️⃣ Get the right advisors The right voices in the room bring clarity, checks, and much-needed perspective. 4️⃣ Strong governance gives you back your time For founders especially, it removes the burden of a 6-month audit cycle and frees you to focus on product, people, growth, and scale.   We’re still learning, but this year felt like a true shift — not just in process but in mindset. #CorporateGovernance #ESG #AuditReady #StartupIndia #FounderJourney #GovernanceMatters #Leadership #Transparency #BuildInIndia #BusinessEthics #ScalingRight #IndiaInc #StartupLeadership #SustainableBusiness #InternalControls #EthicalLeadership #SEBI #InvestorTrust #StartupCompliance #GrowthWithGovernance Startup Incubation and Innovation Centre, IIT Kanpur (incubatoriitk) Startup India Entrepreneur India  

7 lessons I learned after years of helping companies achieve compliance and certifications, I wish I had known them sooner. 1. Compliance is more than passing an audit.  → It is about building a culture of quality, protecting patients, and ensuring your systems can stand the test of time. 2. Simplicity is powerful.  → Regulations can feel overwhelming, but breaking them down into clear steps makes compliance achievable and sustainable. 3. Strategic partnerships matter.  → Collaborating with the right consultants, auditors, and regulatory experts has transformed projects, turning challenges into success. 4. Networking builds resilience.  → Trusted connections across medical device, biotech, and pharma industries often become the key to solving complex compliance issues. 5. Agility and experience drive results.  → Each regulatory pathway is unique. Experienced guidance helps avoid costly delays and accelerates market access. 6. Communication is non-negotiable.  → Clear, structured communication with teams, auditors, and regulators ensures alignment and confidence throughout the process. 7. Compliance is continuous.  → It is not a one-time milestone but an ongoing commitment to quality, safety, and improvement. The more complex the regulations, The stronger your systems need to be. Question: What has been your biggest lesson in navigating compliance and obtaining certification?

175 pages of the learnings from the largest audit firms.  PwC, Deloitte, EY, KPMG, BDO, FORVIS Mazars.  Here is my quick summary.    Once a year, the FRC publishes detailed reports on its quality inspections of the largest UK accounting firms.    There are golden insights packed within the 175 pages of materials that the FRC published.    Here are the highlights that you can learn from:    Good Practices:  Revenue audits: Cash-to-revenue reconciliations and targeted outlier testing improved efficiency and effectiveness.  Group oversight: Strong involvement with component auditors and use of data analytics.  Risk assessment: Robust risk assessment procedures and stand-back evaluations.  Use of specialists: Especially in valuations, going concern, and insurance liabilities.  Ethics & independence: Prompt consultations and clear communication with audit committees.  Climate disclosures: TCFD improvements and peer benchmarking.    Common Areas for Improvement:  Impairment testing: Weak challenge of assumptions in goodwill and intangibles.  Revenue cut-off and contract accounting: Inconsistent testing procedures and documentation.  Audit file assembly: Gaps in archiving and review processes.  Group audit scope: Inadequate justification and oversight.  Inventory valuation: Insufficient evidence and skepticism.    What’s Next?  The FRC wants firms to go beyond ticking boxes and start challenging assumptions, testing data rigorously, and embedding quality into every stage of the audit.    Technology has a big role to play. But so does evolving the skills of modern auditors.    I’ve summarized each firm’s inspection in bite-sized posts over recent weeks.     Here they all are, summarized together! 

The Sweet Trap: A New Auditor's Tale Sanjay was excited about his first solo audit. Fresh out of training, he wanted to show everyone how good he was at his job. Walking into NT International Company Ltd. with his laptop and notebooks, he felt ready to find any mistakes in their work. During his first week, Sanjay found several problems in how the company bought things. He was proud of his findings. When he showed them to Vikrant, the Finance Head, something unexpected happened. "This is amazing work, Sanjay!" Vikrant said with a big smile. "You've found things that even experienced auditors missed." Sanjay couldn't stop grinning. This was exactly what he wanted to hear. Over the next few days, Sanjay became too relaxed. He thought he had already done the hard part by finding these problems. He started taking longer breaks and didn't look as carefully at other things. After all, he already had good findings to show his boss. But Vikrant had a plan. Two days before the final meeting, Sanjay sat down with Vikrant to discuss his findings. Vikrant pulled out a thick folder. "About those problems you found," Vikrant started, his friendly smile gone. Then, one by one, he showed Sanjay why each of his findings was wrong. Everything Sanjay thought was wrong had a good explanation. All the things Sanjay thought were mistakes were actually normal business practices he didn't understand fully. Sanjay felt sick to his stomach. His "great findings" were nothing. He hadn't just failed to find real problems – he'd fallen for a simple trick. Vikrant had praised him to make him overconfident, and it worked perfectly. That evening, Sanjay sat at his desk staring at his empty report. He felt embarrassed and angry at himself. But as he thought about what happened, he learned something important. He realized being a good auditor isn't about finding a few problems quickly. It's about being careful, understanding everything properly, and not letting praise make you careless. Sanjay took out a notebook and wrote: "Remember: A good auditor stays careful from start to finish." Years later, Sanjay became a senior auditor. He always told this story to new team members. "When someone seems too impressed by your work," he would say with a smile, "that's when you need to look even harder." He kept his old notebook as a reminder of his first audit. It taught him that in auditing, like in a long race, starting well isn't enough – you need to stay strong until the end.