Optimizing Your
Internal Audit Function
As governance expectations grow and risk profiles become more complex, many organizations find that their internal audit function is being asked to cover more ground than it was originally designed to support. Boards and Audit Committees are asking sharper questions about technology controls, third-party oversight, and emerging risks alongside the financial reporting work that has always been central to internal audit.
We work with insurance and nonprofit organizations at different stages of that evolution, whether the need is to establish an internal audit function, maintain compliance with Sarbanes-Oxley Section 404 (SOX 404) or the Model Audit Rule (MAR), or reassess how the function is structured and resourced as the organization grows.
Trusted
Methodology
Johnson Lambert’s internal audit methodology combines tailored risk and control frameworks, analytics-driven testing, and rigorous quality control. Each element is designed to support a thorough, efficient engagement and produce work that stands up to leadership and regulatory scrutiny.
Training
Our internal audit teams receive continuous training across technical, regulatory, and industry-specific subject matter, which means every engagement is supported by professionals who already understand the governance environment and compliance requirements relevant to your organization. We also share that knowledge with clients throughout the process, so your team comes away with a stronger understanding of your control environment and what it takes to sustain it.
Risk + Control Matrices
Risk and Control Matrices (RCMs) are tailored to each organization's risk profile, compliance requirements, and operational structure. For insurance organizations, that means RCMs that reflect the specific demands of MAR, SOX, and the broader governance expectations that internal audit is increasingly being asked to support.
Audit Programs
Our audit programs are designed to ensure consistency and thoroughness across every engagement, and we continually update them to reflect changes in the regulatory environment and emerging risk areas. That includes coverage of cybersecurity controls, AI governance, third-party dependencies, and other areas that are drawing increased scrutiny from leadership and regulators.
Analytics Workflows
Our teams use data analytics, visualization tools, and automated testing workflows to perform full population reviews rather than relying on sampling alone. This approach expands coverage, surfaces exceptions and anomalies sooner, and produces reporting that gives leadership a more complete view of where control gaps and risk concentrations exist.
Reporting
Internal audit reporting is most valuable when leadership can use it to make decisions, not just confirm that work was completed. Our reporting is tailored to each organization and designed to give management, Audit Committees, and governance bodies a clear view of findings, open issues, remediation ownership, and where the control environment may need additional attention.
Quality Control
Every Johnson Lambert engagement is subject to a dedicated quality control process that ensures our work meets professional standards and holds up under scrutiny. For clients, that translates to documentation, testing, and reporting that is defensible to regulators and rating agencies.
Where Internal Audit Can
Create More Value
Internal audit can be applied across a broad range of priorities, depending on the organization’s risk profile, regulatory environment, and oversight needs. In practice, that may include financial reporting and internal controls, operational processes, IT and cybersecurity, regulatory compliance, third-party risk, and other areas where leadership needs stronger monitoring and more consistent insight.
We help clients prioritize internal audit activity based on where risk is shifting and where additional oversight is needed across the organization.
Partnering
Model Options
Outsourced Model
For organizations that need a fully supported internal audit function, we can serve as an outsourced provider. We design the function around your organization’s risk profile, compliance requirements, and operational complexity, giving leadership and governance bodies access to specialized internal audit support without the need to staff the function entirely in-house.
Co-Sourced Model
For organizations that already have internal audit resources in place, a co-sourced model can expand capacity and add specialized expertise where it is needed most. We work alongside internal teams to help cover priority areas and scale the function more effectively during periods of growth, change, or increased regulatory focus.
Consulting Model
For organizations that need targeted support rather than ongoing internal audit execution, we provide consulting services in areas such as risk management, compliance, process improvement, IT and cybersecurity, and internal control evaluation. This model can help organizations address specific challenges and evaluate high-priority areas during periods of change.
The Latest
Internal Audit Insights
April 2026
On April 7, 2026, Anthropic, the company behind the widely adopted large language model (LLM) Claude, announced a new model, Mythos. This was no ordinary launch however, it was an announcement that will usher in a sea change in how […]
The California Privacy Protection Agency (Agency) Board adopted finalized rules on cybersecurity audits, risk assessments, and automated decision-making technology (ADMT). The regulations (1) updated existing CCPA regulations; (2) implemented requirements for certain businesses to conduct risk assessments and complete annual cybersecurity […]
This download explores how the internal audit (IA) function has evolved from a traditional compliance-focused unit into a strategic business partner capable of delivering significant and measurable value to insurance companies.
Focused
Experience
We add value through internal audit experience grounded in the industries we serve.
Insurance
Johnson Lambert has served insurance organizations for 40 years and has worked with more than 750 insurers and related entities across the United States. That experience brings added value to internal audit engagements by grounding the work in a deep familiarity with insurer operations, regulatory expectations, and the issues shaping risk and oversight today.
Nonprofit
We serve a range of nonprofit organizations, including trade associations, community development financial institutions, political action committees, membership organizations, private foundations, public charities, social service organizations, and higher education institutions. As operating demands and stakeholder expectations continue to grow, our understanding of the tax-exempt environment strengthens the support we provide.
Guidance for a Changing Risk and Regulatory Environment
