Risk Strategy

What Internal Audit Services Should Actually Deliver to a Mid-Market CFO

Most mid-market internal audit services produce reports the CFO and audit committee do not actually use. Here is what should change, and how to fix the scope.

By Eric Kennedy · Thu May 07 2026 · 6 min read

What Internal Audit Services Should Actually Deliver to a Mid-Market CFO

If you are a mid-market CFO buying internal audit services, you have probably already had this experience: a 30-page report lands on your desk, the audit committee receives a 20-minute readout, the recommendations get logged, and three months later nothing has changed.

That is not a problem with internal audit as a discipline. It is a problem with how internal audit services are being scoped, sold, and delivered to mid-market companies. Whether the function is in-house, fully outsourced, or set up through internal audit co-sourcing, the same gap shows up: audit committee reporting best practices that emphasize coverage breadth over decision impact, internal audit effectiveness metrics that count completed audits instead of business outcomes, and a risk-based internal audit methodology that exists on paper more than in the audit plan.

The Institute of Internal Auditors has been pushing the profession toward a different model for years. The IIA's 2024 Global Internal Audit Standards became effective January 9, 2025, with a focus on internal audit strategy, stakeholder relationships, and performance measurement. The mandate is clear: internal audit is supposed to deliver strategic value, not just assurance.

Most mid-market internal audit services do not.

What most mid-market internal audit services actually deliver

A typical outsourced or co-sourced internal audit engagement at a $200M company looks something like this. The audit committee approves a risk-based audit plan once a year. The provider executes 6 to 10 audits across the year, each producing a written report with findings, ratings, and recommendations. The CFO and audit committee receive quarterly updates. SOX testing, if applicable, runs as a parallel workstream.

The work product is real. The reports are competent. The findings are usually defensible.

But ask three questions and the value proposition gets harder to defend.

First, what decisions did the audit committee make this year that depended on internal audit's work? At most mid-market companies, the honest answer is one or two. Maybe none.

Second, what specifically changed in the business because of internal audit's work? Not what was recommended, what actually changed. Strong internal audit effectiveness metrics tie findings to operational consequences, not to closure rates. The list of things that actually changed is usually shorter than the report count.

Third, would the CFO and audit committee miss anything operationally if the internal audit function disappeared tomorrow, beyond the audit reports themselves? At most mid-market companies, the answer reveals what is really being bought: documentation, not insight.

This is not the auditors' fault. They are delivering what was scoped. The problem is upstream.

Why this happens at the mid-market

Three structural reasons.

The buyer is the audit committee, not the CFO. Internal audit reports functionally to the CFO but administratively to the audit committee. When the audit committee defines the work, the work tends to optimize for what looks good in audit committee meetings: comprehensive coverage, clean reports, clear ratings. That is one reason most audit committee reporting best practices still emphasize coverage breadth over decision impact. Useful, but rarely operationally decisive.

The provider is incentivized to deliver hours, not impact. Most outsourced engagements are scoped in audit hours and audit count. Strategic alignment is not what is being measured or sold. The IIA's 2025 North American Pulse of Internal Audit Survey found that internal audit functions fully aligned with strategic objectives have a 31-percentage-point funding advantage over those only somewhat aligned. The data is clear that strategic alignment matters. The buying behavior has not caught up.

The CFO does not have time to define what good looks like. Mid-market CFOs are running finance, accounting, treasury, and FP&A. They do not have time to redesign the internal audit operating model on top of everything else, so they accept the model the provider proposes. The model gets cheaper. It does not get better.

The IIA's own data confirms the gap. According to the same 2025 Pulse Survey, internal audit activity is currently 75% assurance and 25% advisory work. Chief audit executives want to shift advisory work to 40% going forward. That is the profession itself acknowledging the work is over-weighted on assurance.

Bar chart titled "What Internal Audit Actually Does vs. What CAEs Want It to Do." The "Today" bar shows 75% assurance work in gray and 25% advisory work in navy. The "Where CAEs Want to Go" bar shows 60% assurance and 40% advisory. A directional arrow points from current state to target state. Source: IIA 2025 North American Pulse of Internal Audit Survey.

Redefining "good": from assurance to advice

The fix starts with rethinking what the function is being measured on. A mid-market CFO should expect three things from internal audit services every year that the current model often does not produce.

Decisions the executive team made because of internal audit work. Not findings logged. Decisions made. If the year ends with no clear example of "we did X because internal audit surfaced Y," the function is not earning its budget.

A current, accurate, executive-level risk picture. Not a 200-row risk register. A short, current view of the risks the CFO and audit committee should be paying attention to right now, refreshed quarterly, with audit work tied directly to the highest-priority items. The 2024 IIA Standards explicitly emphasize this kind of strategic alignment, and integrating internal audit into a broader ERM program is how it actually happens. Most mid-market engagements do not deliver it.

A development effect on the business. Strong internal audit work leaves the audited area better operationally, not just compliant. The CFO should be able to point to two or three places in the business that run better this year because internal audit was there.

Three-column framework titled "What a Mid-Market CFO Should Expect From Internal Audit Every Year." Column 1 is "Decisions Made," showing specific decisions the executive team made because of internal audit work. Column 2 is "A Current Risk Picture," showing a short focused list of high, medium, and low priority risks. Column 3 is "A Development Effect," showing operational improvements as an upward-trending line.

If the function is not producing those three things, the answer is not changing providers. It is redefining what is being bought.

Where internal audit co-sourcing actually helps

Not every mid-market company needs a full in-house internal audit function. Many do not have the headcount to justify one, and even those that do often need specialist expertise the in-house team cannot maintain across cyber, IT, third-party risk, and SOX testing simultaneously.

This is where internal audit co-sourcing can earn its budget, but only if it is structured the right way.

The wrong version of co-sourcing is using an external firm to execute a generic audit plan more cheaply than an in-house team would. That is just outsourced testing with a different label. The right version of co-sourcing is using an external firm specifically for the specialist depth your in-house team does not have, on the audits that actually move the risk picture.

Two practical rules for getting it right:

Scope co-sourcing around capability gaps, not capacity gaps. If you are co-sourcing because your in-house team is overloaded on routine work, you have a staffing problem, not a co-sourcing strategy. If you are co-sourcing because the next three audits require deep cyber, regulatory, or third-party expertise, that is the right use of an external partner.

Write the engagement charter around decisions, not deliverables. The contract should require findings tied to business impact, not just control deficiencies. If the provider's deliverable is a report, you bought a report. If the provider's deliverable is a clearer risk picture and specific operational changes, you bought internal audit.

Side-by-side comparison titled "When Internal Audit Co-Sourcing Actually Earns Its Budget." Left column "Capacity Gap" labeled as the wrong reason to co-source: triggered by an overloaded in-house team, scoped to a generic audit plan, delivering more audit reports under an hours-based contract, with the outcome of the same unread reports at lower cost. Right column "Capability Gap" labeled as the right reason to co-source: triggered by audits needing cyber, regulatory, or third-party expertise, scoped to specialist depth on highest-impact risks, delivering findings tied to business impact under a decision-based contract, with the outcome of a clearer risk picture and specific operational changes.

Done well, co-sourcing supplements the in-house function. Done poorly, it is just a more expensive way to produce the same unread reports.

What this looks like operationally

Three changes usually do most of the work.

Tie the audit plan to the enterprise risk profile, not the prior-year audit plan. A risk-based internal audit methodology means the plan reflects the four or five highest-impact audits given the current risk picture, full stop. Most mid-market audit plans are last year's plan with two new audits added, which is not the same thing.

Replace audit count with audit consequence as the primary success metric. How many audits were completed matters less than how much the audited areas changed because of the work. This is the difference between activity-based internal audit effectiveness metrics and outcome-based ones.

Integrate internal audit into the broader risk program. Internal audit, ERM, compliance, and SOX should share a single risk view, not three. Otherwise the CFO is paying three teams to maintain three overlapping inventories.

The profession is moving in this direction. The same IIA 2025 Pulse data shows that 40% of CAEs now report using GenAI for internal audit activities, up from 15% the prior year. Tools are getting better. The question is whether the operating model catches up.

Bar chart titled "Internal Audit's GenAI Adoption Has More Than Doubled in One Year." The prior-year bar shows 15%. The 2025 bar shows 40%. Source: IIA 2025 North American Pulse of Internal Audit Survey.

Key Takeaways

The buying lesson

If your internal audit services provider cannot point to specific decisions, specific changes, and specific operational improvements from this year's work, you are buying audit reports, not internal audit. Those are not the same thing.

The good news: redefining what you are buying does not require firing your provider. It requires rewriting the scope.

Frequently Asked Questions

What is the difference between internal audit services and risk advisory?

Internal audit services are focused on independent assurance over governance, risk management, and internal controls, typically reporting to the audit committee. Risk advisory is broader and forward-looking, focused on helping management identify, assess, and respond to risks before they become control failures. The 2024 IIA Standards explicitly push internal audit toward more advisory work, and at the mid-market level the two functions often need to be integrated rather than separated.

When does internal audit co-sourcing make sense for a mid-market company?

Internal audit co-sourcing makes sense when your in-house team has a capability gap (specialist expertise in cyber, IT audit, third-party risk, or regulated industry compliance) rather than a capacity gap (just being overloaded on routine work). It also makes sense when the audit committee wants an independent perspective on a specific high-stakes audit. The engagement should be scoped around the specific decisions the work needs to inform, not around audit hours.

How do I know if my current internal audit function is delivering value?

Three questions surface the answer. What decisions did the executive team or audit committee make this year because of internal audit work? What specifically changed operationally in the business because of internal audit? Would anyone notice operationally if the function disappeared tomorrow, beyond the absence of the reports? If the answers are few, not much, and not really, the scope needs rewriting.

What are good internal audit effectiveness metrics for a mid-market CFO?

The most useful metrics are outcome-based, not activity-based. Examples: number of executive decisions informed by audit findings, percentage of audited areas with measurable operational improvement, time from finding identification to remediation, and alignment between the audit plan and the current top-five enterprise risks. Audit count and on-time completion are easy to measure but rarely tell the CFO whether the function is earning its budget.