Internal audit in a SOX‑scoped, multi‑ERP environment is no longer just about periodic reviews and sample testing. High‑reliability organizations are moving toward data‑driven, continuous assurance — but the underlying audit methodology is still built on five core stages: planning, risk assessment, fieldwork, analysis and reporting, and follow‑up/monitoring.supervizor+1

This article walks through each stage from a technical perspective, and shows how platforms like SafePaaS plug directly into the audit lifecycle as a control data and automation layer.

Stage 1: Planning – From Audit Universe to Executable Audit Program

In a mature internal audit function, planning goes beyond selecting an area and drafting a generic work program. It’s about building a defendable, risk‑based audit plan and translating it into detailed procedures that can be executed and re‑used.

Key technical elements of the planning stage include:sandiego+1

  • Audit universe and risk model alignment: Mapping entities, processes, and systems (e.g., Oracle, SAP, Workday, key SaaS) to your risk taxonomy (financial reporting, fraud, cyber, operational, compliance).
  • Scoping at control‑objective level: Defining which ITGC domains (access, change, operations) and which business process controls (P2P, O2C, R2R, treasury) will be in scope, and at what level of assurance.
  • Audit program design: Translating risks and control objectives into specific testing steps, data sources, and sampling methodologies.

Where SafePaaS helps at this stage is in surfacing real control telemetry, so planning is based on actual risk, not assumptions. For example, customers use SafePaaS analytics to see where SoD violations, privileged access, or configuration changes are concentrated, then align the plan accordingly. The rationale for this automation‑first approach is covered in Why Automate Internal Controls?.

Stage 2: Risk Assessment – Quantifying Risk with Access and Control Data

Risk assessment is not just a document; it’s a structured process of rating risks and controls using both qualitative and quantitative inputs. Technically, you’re trying to answer: “Where is control failure most likely, and where would it hurt the most?

Typical activities include:

  • Inherent risk analysis: Complexity (customizations, integrations), transaction volumes, pace of change, regulatory exposure (SOX, industry regulations), and historical incidents.
  • Control design evaluation: Reviewing control matrices, RCMs, SoD rule sets, and configuration baselines to identify design gaps or over‑reliance on manual detective controls.
  • Data‑driven indicators: Using metrics such as number of users with privileged roles, count of open SoD conflicts, frequency of emergency changes, and exception rates in key reports.

SafePaaS is particularly strong in this stage because it can continuously analyze these indicators from live system data: cross‑application SoD conflicts, high‑risk entitlements, orphan accounts, and unapproved configuration changes. Articles like Everything you need to know about ITGC SOX illustrate how teams use this data to sharpen their risk assessments.

Stage 3: Fieldwork – Executing Tests with System‑Generated Evidence

Fieldwork is where the audit program is executed: controls are tested, exceptions are identified, and evidence is collected and documented. Technically, this is where the friction between manual and automated approaches is most evident.

Core techniques and activities:

  • Control walkthroughs and design validation: Confirming that documented controls match what actually happens in the ERP/IT landscape (e.g., verifying SoD rules in SafePaaS against roles in Oracle or SAP).
  • Sample‑based testing vs. full‑population analysis: For many key controls, traditional audit relies on sampling; with automation, internal audit can test entire populations (e.g., all access changes or all journal postings) and only investigate exceptions.
  • Evidence capture and workpaper integration: Storing screenshots, configuration exports, access listings, and approvals in a way that’s traceable to each testing step.

SafePaaS materially changes fieldwork in three ways:

  1. Automated ITGC and ITAC testing – SafePaaS can continuously test control conditions (e.g., “no user has both AP invoice entry and payment release”) and surface violations, effectively converting many manual ITGC tests into ongoing, automated checks.safepaas+1
  2. System‑generated, time‑stamped evidence – Access approvals, SoD certifications, and change approvals produced by SafePaaS can be directly attached to audit workpapers, reducing reliance on ad‑hoc screenshots and spreadsheets.safepaas+1
  3. Integration with provisioning and ticketing tools – Standard APIs allow SafePaaS to consume data from systems like SailPoint or ServiceNow and reconcile it with control expectations, so auditors can test the entire lifecycle from request to approval to provisioning.

The ITGC automation case study demonstrates how a multinational organization used SafePaaS to centralize ITGC evidence and cut manual testing significantly.

Stage 4: Analysis and Reporting – From Exceptions to Risk Insights

Once testing is complete, internal audit has to move from raw exceptions to articulated risk and agreed actions. Technically, this is about classification, aggregation, and clear communication.

Key components:

  • Deficiency evaluation: Mapping exceptions to control objectives, rating likelihood and impact, and determining whether they roll up to significant deficiencies or material weaknesses (especially for SOX ICFR).
  • Aggregation and theming: Identifying systemic issues (e.g., access model design flaws, weak change governance, or fragmented ownership) versus isolated control breakdowns.
  • Reporting and visualization: Presenting results in layered form: high‑level for the audit committee and executives, granular for control owners and IT.

SafePaaS supports this phase by providing dashboards and risk analytics that internal audit can leverage directly:

  • Heatmaps of SoD conflicts and high‑risk access by entity, process, and system.
  • Trend views showing control performance over time (e.g., decreasing open conflicts after remediation campaigns).
  • Ready‑to‑export reports that tie directly to audit observations and management action plans.

The article Measuring the ROI of internal control automation goes deeper into how this analytics layer changes the quality of audit reporting.

Stage 5: Follow‑Up and Continuous Monitoring – Closing the Loop

Follow‑up historically meant tracking action plans in a spreadsheet and re‑testing in the next cycle. In a data‑rich, digital environment, internal audit can move toward continuous assurance and near‑real‑time follow‑up.

From a technical standpoint, this stage involves:

  • Action plan workflow: Assigning owners, due dates, and status to each finding, with clear links back to the underlying control and risk.
  • Re‑performance and validation: Re‑running specific automated tests or sampling transactions post‑remediation to confirm effectiveness.
  • Continuous monitoring hooks: Building automated tests for high‑risk controls into the BAU environment (e.g., daily SoD scans, real‑time alerts on critical config changes).

SafePaaS acts as a continuous monitoring and “system of audit” layer by:

  • Running recurring control checks across ERP and cloud systems (SoD, critical access, configuration changes) and logging exceptions over time.
  • Maintaining an immutable evidence store of control executions, approvals, and remediation events, which internal audit can query and reference in future audits.
  • Providing shared dashboards for internal audit, IT, and business owners, so follow‑up status is visible and jointly owned.

You can see how leading audit leaders are using these capabilities in How audit leaders are automating testing and cutting cycle times.

From Periodic Audits to Continuous Assurance

For heads of internal audit and ITGC owners, the five stages of the internal audit process are familiar. The real shift is how those stages are executed: moving from manual sampling and point‑in‑time evidence to automated testing, continuous monitoring, and system‑generated audit trails.

SafePaaS is designed to be that federated layer for complex Oracle, SAP, and Workday environments — providing the fine‑grained identity visibility, ITGC automation, and risk dashboards internal audit needs to modernize its methodology end‑to‑end.

To see how this can plug into your current audit plan, explore the SafePaaS platform or request a discovery session with your audit and ITGC teams in the room.

Share: