Auditing Practices Overview

I saw a Board choose one CFO over another, and it wasn’t what you think. Two highly accomplished CFOs were contenders for a pivotal Audit Committee Chair role. Both had impeccable credentials: decades of experience, flawless technical mastery, and strong governance backgrounds. During the selection, each was asked how they would handle a significant, unexpected financial adjustment in the upcoming quarter. The first CFO outlined a precise, technically sound response: “We will ensure full compliance with IFRS, document the variance thoroughly for the auditors, and re-forecast the following quarters to absorb the impact.” It was correct, disciplined, and focused on managing the event. The second CFO framed it differently: “First, I will brief the Board on the operational root cause, not just the accounting impact. Second, we will pre-empt investor concerns by linking this adjustment to our broader strategic realignment. Third, I’ll work with IR to ensure our narrative emphasizes long-term resilience, not short-term noise.” It was strategic, forward-looking, and focused on leading through the event. The Board’s choice was unanimous. You see, the first CFO spoke the language of accounting. The second spoke the language of governance and stakeholder confidence. Both were skilled. However, only one demonstrated board-level intelligence: the ability to see beyond the ledger and steward perception, strategy, and trust. The lesson was clear: 𝒕𝒆𝒄𝒉𝒏𝒊𝒄𝒂𝒍 𝒑𝒓𝒐𝒇𝒊𝒄𝒊𝒆𝒏𝒄𝒚 𝒊𝒔 𝒕𝒉𝒆 𝒑𝒓𝒊𝒄𝒆 𝒐𝒇 𝒆𝒏𝒕𝒓𝒚. 𝑻𝒓𝒖𝒆 𝒊𝒏𝒇𝒍𝒖𝒆𝒏𝒄𝒆 𝒂𝒕 𝒕𝒉𝒆 𝒃𝒐𝒂𝒓𝒅 𝒍𝒆𝒗𝒆𝒍 𝒄𝒐𝒎𝒆𝒔 𝒇𝒓𝒐𝒎 𝒇𝒓𝒂𝒎𝒊𝒏𝒈 𝒇𝒊𝒏𝒂𝒏𝒄𝒊𝒂𝒍𝒔 𝒘𝒊𝒕𝒉𝒊𝒏 𝒕𝒉𝒆 𝒄𝒐𝒏𝒕𝒆𝒙𝒕 𝒐𝒇 𝒆𝒏𝒕𝒆𝒓𝒑𝒓𝒊𝒔𝒆 𝒗𝒂𝒍𝒖𝒆, 𝒓𝒆𝒑𝒖𝒕𝒂𝒕𝒊𝒐𝒏, 𝒂𝒏𝒅 𝒔𝒕𝒓𝒂𝒕𝒆𝒈𝒊𝒄 𝒏𝒂𝒓𝒓𝒂𝒕𝒊𝒗𝒆. So, for finance leaders aiming for the #boardroom, stop mastering only the numbers. Master the story they tell, the risks they hide, and the future they imply.

Audit, Risk & Compliance (ARC): The Three Pillars of Strong Governance "Let me explain why Audit, Risk, and Compliance aren’t just checkboxes—they’re your governance backbone." I’ve had this conversation many times with peers, clients, and boards. And here’s what I often say when someone asks, “How do you build strong governance?” You start with ARC: - Audit - Risk Management - Compliance Each has its role, but when aligned, they become a strategic force. Let me walk you through it from experience: 🔍 Audit is your independent lens. Think of Audit as the team that tells you what’s happening. Their job is to verify that controls are working not just existing on paper. ▶ Example: I once saw an internal audit uncover a $500K billing discrepancy no one had noticed. That wasn’t just cost savings it was a control failure caught before it became reputational damage. The best audit teams today use data analytics and real-time assurance tools to stay ahead. Traditional static audits no longer suffice. ⚠️ Risk is your radar. Risk Management isn’t about stopping risk, it’s about knowing which risks matter, and how much risk you can take to grow. I’ve seen risk teams run scenario analyses ahead of market expansion that flagged FX volatility. With a solid hedging plan, they avoided a 7% EBITDA hit. That’s what proactive risk management looks like. And right now? The strongest risk programs I’ve seen are integrating AI, ESG risk, and third-party oversight into their frameworks. ✅ Compliance is your moral and legal compass. Compliance isn’t just about avoiding fines. It’s about building trust internally and externally. A solid compliance program is the reason one company I worked with navigated new data privacy regulations across multiple countries without missing a beat or getting penalized. What’s changing? Compliance is becoming more automated, more behavior-driven, and more global. And that means compliance officers need better tech and a seat at the strategy table. Now here’s the key: ARC only works when it's integrated. When Audit, Risk, and Compliance operate in silos, things fall through the cracks. But when they collaborate sharing insights, aligning priorities, and using common platforms governance becomes a value driver. A recent PwC survey backs this up: - 73% of execs say ARC alignment improves decision-making - 65% plan to invest in integrated GRC platforms - Over half say Internal Audit is now a transformation partner If you’re leading or supporting ARC functions, my advice is simple: Don’t build walls, build bridges. The future of governance isn’t in functions. It’s in how those functions work together. Let me know how ARC works in your organization today. Do the functions collaborate, or still operate in silos? #Governance #InternalAudit #RiskManagement #Compliance #GRC #BoardEffectiveness #OperationalResilience #Leadership #3prm #tprm #GovernanceExcellence #RiskStrategy #ComplianceCulture

Every major consulting firm published research exposing its own playbook. Leadership teams keep buying what the research says doesn't work. I pulled insights from McKinsey, BCG, Deloitte, Gartner, PwC, HBR, MIT Sloan, EY, Accenture, and KPMG - all published in the last 18 months. The through-line is uncomfortable. 1️⃣ What leadership assumes is causing failure → Employee resistance → Technology gaps → Skills deficits → Change fatigue 2️⃣ What the research actually shows → Unclear value creation (McKinsey: 74% fail here) → Complexity, not fatigue (HBR: 70% fail from overengineering) → Trust gaps, not tech gaps (PwC) → Confusing output with outcomes (Gartner) 3️⃣ The governance gap nobody addresses → These reports all point to the same invisible problem: transformation strategies that never translate into measurable decision infrastructure. → Boards don't buy stories. → They buy ROI clarity. → But ROI clarity requires governance architecture most initiatives never build. Most executives commission: ❌ More consultants to validate complexity ✅ Fewer priorities with sharper accountability and clearer value metrics Here's the full reading list: 1️⃣ McKinsey — The Hard Truth About Transformation 🔗 https://lnkd.in/enpek2AH 2️⃣ BCG — It's Time to Rethink Change Management 🔗 https://lnkd.in/er_Jm8QD 3️⃣ Deloitte — The ROI of Transformation: Measuring What Matters 🔗 https://lnkd.in/eQ7_h338 4️⃣ Gartner — Digital Transformation Myths Busted 🔗 https://lnkd.in/e6sksX6T 5️⃣ PwC — Transformation in the Age of Trust 🔗 https://lnkd.in/e6-Q-J8C 6️⃣ Harvard Business Review — Stop Overengineering Transformation 🔗 https://lnkd.in/e6sRxrfg 7️⃣ MIT Sloan — Why ROI Should Be Your North Star 🔗 https://lnkd.in/epQfY9BT 8️⃣ EY — Transformation Realities: Value Creation Beyond Cost 🔗 https://lnkd.in/earXcbUQ 9️⃣ Accenture — From Change Fatigue to Change Fit 🔗 https://lnkd.in/eAMK2wgN 🔟 KPMG — De-Risking Transformation 🔗 https://lnkd.in/eAa4SUBr What myth is quietly draining your transformation budget? 💬 Any reports you'd add to this list? --------- 🔔 Follow Justin R. for more transformation insights ♻️ Repost to help someone cut through transformation myths 🔑 Unlock my free frameworks in my Featured Section

If your controls only exist for the auditor, you don't have controls. You have theatre. And a lot of organisations have more of it than they realise. A control can be documented. Tested. Reviewed. Signed off. Reported as operating effectively. And still fail to change behaviour when it matters. That is the uncomfortable bit. Because control value is not created when evidence exists. It is created when the control improves a decision, prevents a bad outcome, clarifies ownership or changes how people act under pressure. A control that only works for the audit file is not a control. It is performance. The real test is different: ✅ Does the control change what someone does? ✅ Does it create useful friction before a poor decision is made? ✅ Does it clarify who owns the risk? ✅ Does it produce evidence that helps management act, not just audit test? ✅ Does it still work when the business is busy, stretched or under pressure? If the answer is no, the issue is not documentation. It is value leakage. That is why I created the free Beyond the Lines™ Internal Audit Value Leakage Map. It helps audit, risk and controls leaders diagnose where value disappears between insight and action, including where controls look fine on paper but fail to create real ownership or outcomes. 👉 You can access it here: https://lnkd.in/er_NbN-m 🗣️ Where do you see the most “control theatre” in organisations? Policy, evidence, sign-offs, remediation, reporting, or somewhere else? #InternalAudit #RiskManagement #InternalControls #Leadership #Audit

📈 Don’t scale what you can’t control Successful scaling is a game of phases & sequencing. But, but, but scaling without control is like giving a toddler a flame-thrower because they walked fast. Just because you can scale doesn’t mean you should. Especially in Crypto & FinTech—where the only thing that moves faster than your growth is the regulator’s patience running out. If you don’t build the controls, the growth will control you. Or worse—collapse you. Let’s get one thing straight: 🚀 Growth isn’t the goal. Sustainable growth is. Scaling is not a badge of honor if it comes with a side of chaos, customer complaints, & compliance disasters. Look at what’s happened across the digital asset space: • FTX scaled too fast, with zero internal guardrails. The result? A $9B hole & a masterclass in what not to do. • Terraform Labs? Massive growth. No brakes. No borders. & now—no passport. 🔍 The bigger you get, the bigger your target Cyberattacks, fraud attempts, enforcement actions—all scale with you. According to Chainalysis, crypto hacks alone crossed $3.8B in 2023, with the majority targeting high-growth platforms that expanded faster than they matured. A 2024 PwC report showed that 67% of FinTechs scaling at >100% YoY reported increased compliance violations, operational inefficiencies, or regulatory fines within 18 months. Why? Because they scaled the front-end without upgrading the back-end. 🚪 They built castles on sand. 📊 They chased metrics, not maturity. 🧠 Here’s what responsible scaling really looks like: 📏 Compliance maturity before user acquisition 🛠️ Risk controls before product expansion 🔄 Auditability before fundraising hype 🧍♂️ Governance before growth Because once you're in the spotlight, you don’t get to grow quietly anymore. Your mistakes echo louder. Your misses cost more. Don’t let your company become a cautionary tale. Don’t scale what you can’t control. Control it, then scale it. That’s how you build something worth scaling in the first place. #Crypto #FinTech #Leadership #Compliance #Regulations #RiskManagement #Scaling #Blockchain #DigitalAssets #Growth #Regulation #FinancialTechnology

Compliance isn’t choosing one framework, it’s understanding how they work together. Many organizations view SOC 2, ISO 27001, and GDPR as competing obligations, but the reality is far more integrated. SOC 2 validates data security controls for US-based service providers voluntary but expected by enterprise clients. ISO 27001 provides a globally recognized ISMS foundation with comprehensive risk management and continuous improvement. GDPR legally enforces personal data protection for EU citizens with significant financial penalties for non-compliance. The strategic advantage lies in their overlap: access controls, incident response, vendor risk management, encryption, and breach notification requirements align across all three. Organizations that map controls once and satisfy multiple frameworks simultaneously reduce audit fatigue while strengthening their overall security posture. Rather than treating compliance as separate silos, mature GRC programs build unified control environments that address shared requirements, turning regulatory burden into operational excellence. What’s your approach to managing overlapping compliance frameworks? #GRC #SOC2 #ISO27001 #GDPR #Compliance #InformationSecurity #DataProtection

PROCESS AUDIT CHECKLIST (COMMON POINTS) IN MANUFACTURING SECTOR: 1. Process Control Are standard operating procedures (SOPs) available and followed? Is process capability (Cp, Cpk) monitored and within acceptable limits? Are control charts used for critical process parameters? Is there evidence of regular calibration of equipment and gauges? Are process changes documented and approved through change control? 2. Material Handling & Storage Are materials labeled correctly (name, batch, status)? Is FIFO (First-In-First-Out) or FEFO (First-Expiry-First-Out) followed? Are storage conditions (temp, humidity) monitored and maintained? Are rejected or non-conforming materials segregated and labeled? 3. Operator Competency & Safety Are operators trained and certified for the tasks they perform? Are safety PPEs being worn and used correctly? Are safety instructions and emergency procedures visible? Is there a system for reporting and investigating near-misses and incidents? 4. Equipment Management Is there a preventive maintenance schedule and is it being followed? Are breakdowns recorded and analyzed for recurrence? Are start-up and shutdown procedures standardized? Are critical spare parts available and tracked? 5. Quality Assurance Are in-process inspections conducted as per the control plan? Are inspection tools calibrated and used properly? Are quality issues tracked using root cause analysis tools (5 Why, Fishbone)? Are quality records complete and traceable? 6. Production & Planning Is actual vs planned production tracked? Are downtimes recorded with reasons? Is the takt time, cycle time, and lead time monitored? Are WIP levels controlled and visualized (kanban, signage)? 7. Waste Management & 5S Is workplace organization (5S) maintained? Are waste bins labeled and segregated? Are daily 5S audits conducted and actioned? Are there visible signs of lean practices (kaizen, visual boards, etc.)? 8. Tooling & Fixtures Are tools and fixtures stored properly with visual controls? Are they identified and logged for use and maintenance? Is there a system for tool calibration and wear tracking? 9. Documentation & Records Are process-related documents current and controlled? Are logs (production, quality, maintenance) filled accurately? Are version-controlled work instructions available at workstations? 10. Environmental & Regulatory Compliance Are emissions, effluents, and noise levels monitored and controlled? Is compliance with environmental regulations documented? Are MSDS (Material Safety Data Sheets) available and up-to-date?

The audit firm that used to send 6 people for 5 weeks now sends 2 for 2 weeks. Not (just) because they're more efficient. Because your GRC platform already did the testing. This is the Zillow effect in compliance. Platforms shifted from passive storage to active control testing. They now collect evidence, test controls, and form opinions on effectiveness. The auditor validates the platform's opinion instead of forming their own from scratch. This is what we discuss in this week's entry of the GRC Engineer newsletter! → Platforms now collect evidence automatically → Test controls based on their logic → Form opinions on effectiveness → Present auditors with pre-assessed landscape The auditor validates platform opinions instead of forming their own from scratch. This created: → Information parity (you see what auditors see in real-time) → Audit fees dropping 60-90% (discovery work already done) → New business model: checkbox audits at £15k (just trust platform, sign report) → Power inversion (platform choice matters more than auditor choice) But here's the problem most miss: Your platform is now your compliance brain. It decides control effectiveness using vendor methodology. If that logic is wrong, everyone trusts the wrong assessment. Quality auditors question platform logic. Checkbox auditors trust it. Full breakdown in this week's newsletter (link in comments). Huge shoutout to Tines for being the lead sponsor of this week's entry #GRCEngineering

An ESG Audit (Environmental, Social, and Governance Audit) is a comprehensive assessment of an organization’s performance and practices related to ESG factors. It evaluates how well a company integrates sustainable and ethical practices into its operations and ensures compliance with relevant standards, laws, and stakeholder expectations. Key Components of an ESG Audit 1. Environmental Criteria • Carbon emissions and footprint • Energy usage and efficiency • Waste management and recycling • Water conservation • Impact on biodiversity 2. Social Criteria • Labor practices and working conditions • Diversity, equity, and inclusion (DEI) initiatives • Community engagement and social impact • Customer satisfaction and data protection • Health and safety standards 3. Governance Criteria • Board diversity and structure • Ethical business practices • Transparency in reporting • Anti-corruption measures • Executive compensation alignment with ESG goals Steps in Conducting an ESG Audit 1. Planning • Define the scope and objectives. • Identify relevant ESG frameworks (e.g., GRI, SASB, TCFD). • Assemble an audit team or engage external experts. 2. Data Collection • Gather internal policies, reports, and data on ESG performance. • Interview key stakeholders, including employees, suppliers, and customers. 3. Analysis • Compare practices against benchmarks, industry standards, and regulations. • Identify risks, gaps, and opportunities for improvement. 4. Reporting • Prepare a detailed report summarizing findings. • Highlight strengths, weaknesses, and actionable recommendations. 5. Implementation • Develop an action plan to address deficiencies. • Monitor and continuously improve ESG performance. Why Conduct an ESG Audit? • Enhance corporate reputation and investor confidence. • Identify risks and ensure regulatory compliance. • Drive sustainability and long-term value creation. • Align business operations with global goals like the UN’s Sustainable Development Goals (SDGs).

🔍 Risk-Based Auditing: Auditing What Truly Matters In today's dynamic business environment, Risk-Based Auditing (RBA) is not just a method—it's a mindset. Rather than treating all processes equally, RBA helps organizations focus their audit efforts on areas with the greatest potential for impact, whether it's operational, financial, or reputational. ✅ Prioritize high-risk processes ✅ Strengthen internal controls where they matter most ✅ Enable data-driven decision-making ✅ Drive real, sustainable improvements By aligning audit efforts with risk exposure, organizations not only enhance compliance but also add strategic value across departments. Whether you're in aviation, healthcare, infrastructure, or manufacturing — RBA transforms your audit function from a checklist activity into a strategic partner. 📌 Key takeaway: Risk-based auditing is about asking “What could go wrong here, and how do we prevent it?” before issues arise. Let’s stop auditing for the sake of it. Let’s audit with purpose. #RiskBasedAuditing #InternalAudit #QualityManagement #OperationalExcellence #Compliance #RiskManagement #ISO9001 #Leadership #ContinuousImprovement