Modernising Internal Audit Across an Eight-Entity Caribbean Conglomerate

 

C  |  Context

A long-established Caribbean conglomerate, structured as a holding company over eight operating entities across four industry verticals and four jurisdictions, carried an internal audit function that was technically present but materially under-scaled. The function consisted of a small centrally-located team with a traditional compliance-focused mandate, an audit plan that reflected historical patterns rather than current risk, and an audit committee that — candidly, as its chair subsequently acknowledged — was not receiving internal audit reporting on which it could confidently discharge its fiduciary responsibilities.

Two developments had brought matters to a head. First, the conglomerate’s regulated financial services subsidiary had received, during its prior regulatory inspection, a supervisory observation that the group-level internal audit function had not provided adequate assurance over the subsidiary’s risk environment — a polite but unmistakable signal that supervisory patience on the point was finite. Second, the group’s board had, over the preceding eighteen months, refreshed its committee chairs, and the incoming chair of the audit committee, an experienced former senior partner of an international audit firm, had made the modernisation of internal audit her explicit priority for her first year in office.

Dawgen Global was retained to conduct a comprehensive modernisation of the conglomerate’s internal audit function. The mandate was explicit: produce a function fit for a diversified multi-jurisdictional conglomerate, governed by a contemporary internal audit charter, delivering risk-based assurance against an evidenced risk universe, and capable of earning the audit committee’s confidence and the regulator’s recognition.

A  |  Approach — The Internal Audit Imperative

Dawgen Global deployed its Internal Audit Imperative body of work — a twelve-article methodology and toolkit covering the full internal audit governance landscape for Caribbean enterprises. The Imperative is not a single framework but a structured modernisation programme organised around six foundational pillars that, collectively, transform an internal audit function from a compliance-checking activity into an assurance capability.

1.  Charter & Mandate Board-approved internal audit charter, reporting lines, independence safeguards, and resourcing commitment.	2.  Risk Universe Formal risk universe, entity-by-entity risk profile, and the alignment of audit plan to enterprise risk architecture.	3.  Methodology Risk-based audit planning, audit-level methodology, working paper standards, and quality control framework.
4.  Capability & Co-sourcing Core team competency framework, specialist co-sourcing architecture, and continuing professional development.	5.  Technology & Data Audit management platform, data analytics capability, and integration with enterprise risk and controls systems.	6.  Reporting & Impact Audit committee reporting architecture, management-facing report standards, and impact measurement discipline.

 

S  |  Solution

Charter and the re-establishment of mandate

The engagement began with the internal audit charter. The function’s existing charter, last refreshed several years earlier, was brought up to contemporary standard — aligned to the Institute of Internal Auditors’ Global Internal Audit Standards, with a clear articulation of the function’s purpose, scope, authority, and independence. The charter was approved by the board audit committee and subsequently by the full board. Critically, the charter made explicit the dual reporting line of the Chief Audit Executive to the audit committee functionally and to the Chief Executive administratively — a structure whose absence had been a root cause of the function’s previous limitations. Resourcing was committed at the charter stage, not deferred to subsequent budget cycles.

Risk Universe and the alignment of audit to risk

The Risk Universe pillar produced, for the first time in the conglomerate’s history, a single documented risk universe covering all eight operating entities across their four industry verticals and four jurisdictions. The risk universe was constructed through a combination of entity-level risk workshops, consolidated enterprise-level risk analysis, and integration with the conglomerate’s newly-operationalised enterprise risk management framework. Each risk was assigned a severity score, a velocity score, and a cross-entity aggregation profile — the last of which was particularly consequential, because several risks that were moderate at entity level became material at group level when the common exposures across entities were aggregated. The audit plan was then derived from the risk universe, rather than from historical audit rotations, meaning that audit coverage followed actual risk exposure.

Methodology and the working paper standard

The Methodology pillar introduced a contemporary internal audit methodology covering the full audit lifecycle: planning, fieldwork, evidence, conclusion, reporting, and follow-up. Working paper standards were elevated to a level at which external reviewers — whether the conglomerate’s external auditors, its regulators, or independent quality assurance reviewers — could rely on internal audit work as evidence in their own conclusions. A formal quality control framework was embedded, with periodic internal quality reviews and a commitment to external quality assessment at the interval required by the IIA Global Internal Audit Standards.

Capability, Co-sourcing and the matrix model

No Caribbean internal audit function of this scale can credibly cover its full risk universe using only a direct employed team; specialist capabilities — particularly in IT and cyber audit, in data analytics, in Islamic finance and co-operative finance niches, in forensic investigation — are best accessed through co-sourcing. The Capability pillar established a clear boundary between core retained capability and co-sourced specialist capability, with Dawgen Global positioned as a pre-qualified co-sourcing partner across several specialisms. Competency frameworks were established for the core team, linked to continuing professional development commitments. The Chief Audit Executive was repositioned from a hybrid operational-technical role into a purely strategic role appropriate to the scale of the function.

Technology and data analytics

The Technology & Data pillar deployed a contemporary audit management platform across the function, replacing the previous reliance on spreadsheet-based audit administration. A data analytics capability was established, drawing on the conglomerate’s own enterprise data environments and enabling continuous-auditing approaches over high-volume transactional areas such as purchasing, payroll, and expense reporting. Integration with the conglomerate’s enterprise risk management system ensured that internal audit findings flowed directly into the enterprise risk register, and that audit planning drew dynamically from the enterprise risk profile rather than from a static annual snapshot.

Reporting and the audit committee experience

The Reporting & Impact pillar transformed the audit committee’s experience of internal audit. The pre-existing reporting had been long, narrative, and technically dense — the kind of reporting that produces polite committee discussion but rarely confident decision-making. The new reporting architecture introduced a three-layer approach: an executive summary that communicated, in plain terms, what the committee needed to know; a thematic layer that aggregated findings across audits to identify pattern risks; and a detailed appendix layer for reference rather than committee discussion. Management-facing audit reports were similarly restructured, with clear action orientation and defined follow-up discipline. Impact measurement was introduced as a formal function output, tracking the quantified value of audit recommendations implemented by management over time.

E  |  Effect

Within fourteen months, the conglomerate’s internal audit function had been transformed from a compliance-checking activity into a credible assurance capability. The audit committee chair, in her annual report to the board, formally recorded her confidence in the function — the first such endorsement the function had received in recent memory. The regulated financial services subsidiary’s subsequent supervisory interaction closed without repeat of the prior observation on group-level internal audit; the supervisory team explicitly recorded the modernised charter, the risk-based audit plan, and the strengthened reporting architecture as the basis for its revised assessment. The external auditors, at the next annual audit cycle, were able to place defensible reliance on internal audit work in several coverage areas, with corresponding efficiency benefit to the external audit. The Chief Audit Executive, repositioned in her role, began recruiting her own successor under a competency framework designed to sustain the modernised function beyond her tenure.

Insight Lens — From the Engagement Partner

The internal audit lesson An internal audit function earns its board’s confidence one reporting cycle at a time. The quickest and most durable way to build that confidence is not by auditing more — it is by auditing better-chosen things and reporting what is found in a form the board can actually use. The Internal Audit Imperative is built around the recognition that in the Caribbean conglomerate context, the principal constraint on internal audit is not technical skill; it is the gap between what internal audit produces and what boards and audit committees actually need to discharge their responsibilities. Closing that gap is the modernisation.

Cross-disciplinary Footprint

• Risk Management — risk universe construction and alignment of audit plan to enterprise risk architecture.
• Cybersecurity (CYBERSHIELD™) — specialist cyber audit capability co-sourced to internal audit function.
• IT & Digital Transformation — audit management platform deployment and data analytics capability build.
• Audit & Assurance — methodology alignment, working paper standard, and reliance protocol with external audit.
• Business Advisory — audit committee reporting design and impact measurement framework.

Take the next step with Dawgen Global

THE SIGNAL If you are a board audit committee chair, Chief Audit Executive, Chief Risk Officer, or Chief Executive of a Caribbean group whose internal audit function is not yet earning the confidence it should — whether because its charter is dated, its audit plan is not credibly risk-based, its reporting does not meet contemporary standards, or its specialist coverage is thin — the modernisation is straightforward once it is chartered and begun. THE OFFER Dawgen Global offers a confidential Internal Audit Imperative Diagnostic: a structured six-week engagement that assesses your current internal audit function across all six pillars of the Imperative, produces a documented maturity profile, and delivers a prioritised modernisation roadmap with defensible resourcing implications. The diagnostic is delivered under confidentiality and without obligation to proceed. THE CHANNEL Email  [email protected]

About Dawgen Global