Practice area · 01/08
Internal audit.
Risk-based plans, fieldwork, and reporting that pass committee scrutiny. Co-sourced or fully outsourced, partner-led on every engagement.
Risk-based plans, fieldwork, and reporting that pass committee scrutiny. Co-sourced or fully outsourced, partner-led on every engagement.
Internal audit is the third line. Treat it that way.
Internal audit is the function the audit committee turns to when they need an independent read on what is actually happening across the institution. Our practice is built for that: risk-based annual plans, fieldwork executed by people who have done the work being tested, reports that name what is broken and what to do about it.
We engage in three configurations: full outsourcing for institutions that have decided not to staff an in-house function; co-sourcing for institutions that have a CAE and need specialized subject-matter capacity (IT, AML, model risk); and quality assurance reviews — independent QARs against the IIA standards — for in-house teams.
What the audit committee gets is a partner. Not a deck. A partner who reads the workpapers, sits in the closing meeting, and writes the executive summary. The fieldwork is supported by our offshore team under direct partner review — that is how we keep the price honest without diluting the seniority of the conversation.
An enterprise risk assessment that informs a one-year audit plan calibrated to the institution's risk profile and regulatory expectations.
Walkthroughs, control testing, substantive procedures. Executed by people who have run the function being audited.
Findings ranked by severity, written for the audit committee. Three findings, not thirty.
Validation that management's remediation actually closed the control gap — not just the ticket.
Independent QARs against IIA standards for in-house internal audit functions, every five years.
Quarterly briefings, an annual report, and the conversations that happen in between.
Workshops with management; review of prior audits, examination reports, and operational losses; the annual plan is the deliverable.
Audits executed on the agreed plan; biweekly status to the CAE; partner present at every closing meeting.
Findings written, vetted with management, and presented to the audit committee. Severity ratings hold.
Quarterly status on open findings; revalidation when management says a control is fixed.
Risk Advisory · Internal Controls · 27 yrs
Andres has run internal audit functions and led co-source engagements for community banks, regional banks, and Fortune 1000 financial institutions across the Americas. He sits on every audit committee meeting he reports to.
We do not provide opinions on financial statements, nor do we sign attestation reports. If your committee needs an external audit, we will help you find the right firm and will not take a fee for the introduction.