Here's a question worth sitting with: when was the last time your internal audit function genuinely surprised the business—in a good way?
Not "we completed our SOX testing on schedule" surprised. Not "here's a 40-page report on control deficiencies" surprised. We mean the kind of surprised where internal audit surfaced an insight that changed a decision, prevented a costly mistake, or uncovered revenue that was quietly walking out the door.
If that question draws a blank, you're not alone—and you're not without options.
The risk landscape has fundamentally changed. Organizations today are navigating cyber threats that didn't exist a decade ago, deploying AI systems faster than they can govern them, and managing third-party ecosystems of breathtaking complexity. The compliance-checkbox model of internal audit wasn't built for this world. The organizations that figure that out—and act on it—are the ones that turn internal audit from overhead into one of the smartest investments in the office of the CFO.
That's what we want to unpack here.
The Disconnect: Running a 2010 IA Function in a 2025 Risk Environment
The most common pattern we see when we walk into a new internal audit engagement? An IA function that's essentially frozen in time. Heavily focused on SOX compliance testing and financial controls. Producing reports that confirm what passed and what failed. Checking boxes, filing workpapers, moving on.
And look—that work is important. For public companies subject to SOX, compliance isn't optional—and a well-run controls testing program is foundational regardless of where you fall on the 404 spectrum. But strong internal controls matter well before a company ever files with the SEC. Larger private companies and PE-backed organizations building toward an exit or IPO have just as much at stake. The point is this: if compliance work is all your internal audit function is doing, you're leaving a significant amount of value on the table.
Meanwhile, boards and audit committees are asking harder questions. They want to understand AI risk, cybersecurity exposure, operational resilience, and whether the organization's digital transformation initiatives are actually under control. The CFO is sitting there knowing the IA team is already stretched to capacity on compliance work. That gap between board expectations and IA capacity is where real risk accumulates—quietly, until it isn't quiet anymore.
The CFOs who get this right don't just have better internal audit functions. They have better visibility, fewer surprises, and organizations that are genuinely more resilient. That's not a coincidence.
What a Modern IA Function Actually Looks Like
The shift from compliance-focused to value-driven internal audit doesn't happen overnight, and it doesn't happen by accident. It requires rethinking the operating model from the ground up around three core principles.
The Three Core Principles of a Modern IA FunctionA value-driven internal audit function operates differently from a compliance-only one. |
||
01Risk-Based, Not Rotation-Based |
02Technology-Enabled, Not Just Technology-Aware |
03Consultative, Not Just Compliance-Oriented |
|
WHAT IT MEANS The audit plan is driven by what's actually keeping executives up at night—not a predetermined schedule of business units or processes. |
WHAT IT MEANS Traditional IA relies on sampling—testing 25 or 30 transactions out of thousands or millions. Data analytics changes the equation entirely. |
WHAT IT MEANS The best IA professionals are translators—speaking the language of controls with technical teams, then explaining why it matters in business terms to executives. |
|
IN PRACTICE Dynamic risk assessment that responds to real change. If your audit plan looks roughly the same every year, that's a signal. |
IN PRACTICE Testing entire transaction populations. Continuous monitoring that flags anomalies weekly or monthly—a metal detector across the whole field, not a random handful of hay. |
IN PRACTICE Partnering with management to understand root causes and develop practical solutions—not just documenting issues and walking away. |
The Build vs. Partner Question
Here's the challenge that every CFO faces when they start thinking about modernizing their IA function: the skills required to do this well are genuinely hard to find and expensive to retain. You need people who understand data analytics, who can assess cybersecurity risk, who can evaluate AI governance frameworks, who can think strategically about operational risk—and who can do rigorous, well-documented audit work. That profile is rare, and the competition for that talent is intense.
Which is why more organizations are rethinking whether internal audit is a function that should be entirely built in-house—or whether a co-sourced or outsourced model might deliver better outcomes at a comparable or lower cost.
Co-Sourcing vs. Outsourcing: A Simple Framework
Co-Sourcing vs. Full Outsourcing: A Simple FrameworkThe distinction matters. The right model depends on your organization's specific situation. |
||
|
Co-Sourcing |
Full Outsourcing |
|
|
What It Is |
External resources supplement an internal IA team |
External provider owns and executes the entire IA function |
|
Best For |
Organizations with a core IA team that needs capacity, specialized expertise, or both |
Smaller organizations, PE portfolio companies, or situations requiring a clean external perspective |
|
Key Advantage |
Maintains institutional knowledge while adding flexibility and specialized skills on demand |
Speed of deployment, independence, and access to senior expertise without the full-time cost |
|
Common Triggers |
SOX season capacity crunch, IT audit needs, IPO readiness, M&A integration, ERP implementation |
Control environment breakdown, cost optimization, governance requirement without a full-time team |
The "consultants are always more expensive" perception deserves a closer look. Yes, external hourly rates are higher than internal salaries on a per-hour basis. But that comparison ignores the full picture: downtime during non-peak seasons, benefits and overhead, training and development costs, and the very real cost of turnover. When someone with deep IA expertise leaves your team, they take institutional knowledge with them.
More importantly, with the right external partner you're accessing director-level experience and judgment—people who've seen dozens of control environments, who know what good looks like, and who can deploy that pattern recognition immediately. A mid-market company isn't going to hire a Big Four senior manager for a full-time internal audit role. But they can access that caliber of thinking through a co-sourced model.
The practical version looks something like this: a company maintains two full-time internal auditors who own audit committee relationships, ongoing coordination, and routine operational audits. During SOX season, a co-sourced team of four or five handles the bulk of testing. In Q1, a specialized IT auditor comes in for the annual cybersecurity assessment. The core team maintains continuity and institutional knowledge; the external team brings specialized expertise exactly when it's needed. The internal folks also learn by working alongside experienced practitioners—it's a development model as much as a delivery model.
One concern worth addressing directly: knowledge transfer. It's legitimate. The answer isn't to dismiss it, but to insist on the right model. The best external partnerships are built around thorough documentation in a GRC platform the client owns, regular knowledge transfer sessions, and an explicit commitment to building internal capability over time. The goal isn't dependence—it's sustainable, flexible capability.
There's also a benefit that often goes unappreciated: external partners don't carry the "that's just how we've always done it" institutional blindness that can develop over time. They bring fresh eyes. They ask questions that people inside the organization stopped asking years ago.
AI and Technology: The IA Function That Can't Afford to Stay Analog
Every CFO we talk to is somewhere on the digital transformation journey—implementing new ERPs, deploying AI tools, automating processes across the organization. The risk is that internal audit becomes the analog function in a digital organization. It can't. The rest of the business won't wait.
Technology is reshaping internal audit in several important ways:
Data analytics and continuous monitoring transform the scope and speed of audit work. Testing entire transaction populations rather than samples. Running anomaly detection scripts across every invoice or journal entry. Setting up monitoring routines that flag issues in near-real-time rather than after the fact. The shift from annual or quarterly testing to ongoing monitoring is one of the highest-impact changes an IA function can make.
AI-powered document review and risk assessment extend what's possible. AI can review thousands of contracts against revenue recognition standards faster than any team could manually—extracting key terms, flagging issues, surfacing what needs human attention. Machine learning models can identify fraud patterns that humans might miss. AI can also scan unstructured data—emails, news articles, industry signals—to surface emerging risks that wouldn't appear in a traditional risk assessment process.
The auditors themselves aren't going anywhere, but their roles are evolving. Technology handles the repetitive, high-volume testing work. What it doesn't do is apply professional judgment, understand business context, have difficult conversations with management, or develop recommendations that are practical enough to actually get implemented. Technology frees up auditors to do that work instead. The skill set shifts from "can you execute a well-designed test" to "can you design the right test, interpret the results, and drive meaningful change?"
AI Is Both a Tool and a Risk Area
One of the more nuanced conversations happening in boardrooms right now goes something like this: "Are we moving fast enough on AI?" and "Are we moving too fast on AI?"—sometimes in the same breath. Internal audit should be at the center of that conversation, not watching from the sideline.
Organizations across the spectrum—some deploying AI rapidly in customer service, fraud detection, pricing, and hiring; others not using it at all—frequently share one thing in common: they haven't fully addressed the governance structures those AI systems require. Internal audit needs to be asking whether the organization knows where AI is being used, whether the risks have been assessed, and whether appropriate controls exist around data quality, model validation, and ongoing monitoring. These aren't hypothetical future concerns. They're present-day audit priorities.
The Technology Investment Question
Tool fatigue is real. Organizations have invested in platforms that promised transformation and ended up as expensive shelfware. A few categories are genuinely worth evaluating:
- Audit management platforms (Workiva, FloQast) for managing the full audit lifecycle with transparency to stakeholders
- Data analytics platforms (Alteryx, Power BI, ACL) for connecting to source systems and testing at scale
- Integrated GRC platforms (Archer, ServiceNow, LogicManager, Workiva) that link risk management, compliance, and audit to avoid operating in silos
- Continuous monitoring tools that provide real-time dashboards on control effectiveness
The value of working with an experienced external partner in this space isn't just the audit work—it's the pattern recognition from seeing what actually works across dozens of technology implementations versus what turns into shelfware. And often, an external partner can deploy their own tools as part of the engagement, letting you test-drive the technology before committing to a purchase.
Making the ROI Case: A Framework CFOs Can Actually Use
Internal audit often ends up in an awkward budget conversation—treated as overhead, defended on compliance grounds, justified by "we have to do it." CFOs who view their IA function that way tend to be the same ones who get blindsided by fraud, control failures, and operational breakdowns. The reframe is simple but important: stop asking "what does internal audit cost?" and start asking "what does not having effective internal audit cost?"
Four Ways Internal Audit Creates Measurable Value |
|
01Prevented Costs Finding weak spots before they lead to big mistakes. This includes spotting fraud schemes and cyber risks before they cause losses or a breach. It is like insurance—you are glad it is there when you need it. |
02Recovered Value Finding actual money that would have been lost. This includes billing errors, missed revenue, or fake transactions. When these are found, you can put an exact dollar amount on the recovery. |
03Process Improvements Acting as a partner to find where the business can run better. It is about spotting slow or wasteful processes, not just following rules, to help the business improve. |
04Stakeholder Confidence Building trust with investors and lenders. Good internal audits can help lower fees and capital costs. For companies with private equity backing, strong controls make the business more valuable to buyers. |
Metrics That Tell the Story
A balanced scorecard approach works well here. Quantitative metrics—number of audits completed, percentage of high-risk areas covered, findings issued and remediated, dollar value of prevented or recovered losses—give the audit committee something concrete to evaluate. Qualitative indicators fill in the picture: Is internal audit getting invited into strategic conversations early? Are recommendations being implemented? Is the function seen as a trusted advisor or a compliance obligation?
The latter questions are often the most telling.
What the Numbers Can Look Like
To make this concrete: consider a mid-market retailer operating with two full-time internal auditors at roughly $250,000 in annual salary and benefits. The team was completing approximately six audits per year, almost entirely focused on SOX compliance. The audit committee was asking for more risk-based coverage. There was no capacity to deliver it.
A co-sourced model came in at roughly the same annual cost, but deployed senior-level resources, leveraged data analytics tools, and completed 12 audits per year, covering both compliance requirements and strategic risk areas. In the first year, the engagement identified $1.2 million in revenue leakage from a pricing system error and uncovered a vendor fraud scheme that would have cost the organization $400,000 annually going forward.
That's approximately an 8x return in year one, measured purely in recovered and prevented dollars. Beyond the hard numbers, the audit committee had substantially higher confidence in the IA function, management was receiving more actionable insights, and the organization's overall risk posture improved in measurable ways.
The Bottom Line
In an environment defined by economic uncertainty, regulatory complexity, cyber threats, and accelerating technological change, the organizations that thrive are the ones with strong risk intelligence and governance infrastructure. Internal audit is a critical part of that infrastructure. The only real question is whether you're going to do it well or do it poorly.
Doing it well means having the right model, the right technology, and the right expertise—whether that's built entirely in-house, co-sourced, or fully outsourced. It means shifting from backward-looking compliance work to forward-looking risk intelligence. And it means being able to demonstrate, in concrete terms, the value that function delivers to the business.
At Embark, we offer complimentary IA assessments that look at your current state, benchmark you against peers, and identify the most meaningful opportunities to enhance value. No obligation—just a conversation that often surfaces insights organizations find genuinely useful.
Let's talk about what your internal audit function could look like.
