When is this needed?
Some situations call not for an advisory report but for a working system. Two examples from practice:
Pension fund — DNB expects operational IA function
A pension fund received an expectation from DNB to have an internal audit function operational within six months. There was no existing IA infrastructure: no charter, no risk assessment, no audit plan. The board did not want a months-long design process, but a ready-to-go setup that functioned immediately.
Insurer — Solvency II governance gaps
A mid-sized insurer identified in an internal review that several Solvency II governance elements had not been adequately implemented. The compliance officer needed support that went beyond advice: someone who identifies the gaps and immediately implements the solution.
The 90-day approach
Audirium works with a structured 90-day approach that delivers a working governance structure in three phases:
Phase 1 — Weeks 1–4: Baseline and foundation
- Assessment of current situation (governance maturity scan)
- Stakeholder mapping and expectation management
- IA Charter and independent positioning
- RACI matrix for governance roles
- First version risk register (top-down)
Phase 2 — Weeks 5–8: Setup and first execution
- Risk-based audit plan (12 months)
- First audit started or completed
- Risk appetite framework (in consultation with the board)
- KRI dashboard operational
- Reporting format for audit committee/board established
Phase 3 — Weeks 9–12: Operational and embedded
- Second audit completed
- Issue management and follow-up process in place
- First quarterly report to board/audit committee
- Tooling operational (risk heat map, assessment tools)
- Transition plan and continuity arrangements
Result
"After three months I had a working IA function I could show to DNB. Not a plan, not a report — but a charter, an audit plan with two completed audits, and a risk dashboard the board actually uses."
What you get after 90 days
| Deliverable | Status after 90 days |
|---|---|
| IA Charter | Established and approved by the board |
| Risk register | Operational, linked to audit plan |
| Audit plan | 12 months, risk-based, 2 audits completed |
| Risk appetite framework | Board-approved, with KRIs |
| Governance RACI | Established and communicated |
| Reporting format | AC/board, first report delivered |
| Tooling | Risk heat map + assessment tools operational |
| Transition plan | Documented, ready for handover |
We needed to demonstrate substance to DNB quickly. Audirium delivered a working audit function in 90 days: actual execution, not a plan.
— Director, Pension Fund