Why internal audit still spends too much time verifying

Regulators expect stronger assurance. Stakeholders expect faster turnaround. Data volumes continue to grow. And yet, much of internal audit work still revolves around the same manual verification steps auditors have performed for years.

Sampling transactions. Matching invoices. Checking approvals. Recalculating figures. Reconciling sub-ledgers. Tracing numbers back to source documents in Excel, PDFs, and ERP exports.

The challenge is not what internal auditors verify, but how they are expected to do it at scale.

The reality of internal audit testing today

Across organizations, internal auditors are routinely responsible for validating whether:

• Expenses included in payment runs are valid, authorized, accurately recorded, and properly classified
• Accounts payable invoices were approved in line with authorization matrices and segregation of duties
• Royalty payments align with contractual terms such as rates, tiers, territories, and time periods
• Access controls are designed to prevent unauthorized transactions
• Sub-ledger balances reconcile to the general ledger
• Journal entries are appropriate and free from management override
• New leases are fully captured, correctly classified, and accurately measured
• Transactional and master data extracted from SAP (FI, CO, MM, SD) is complete and reliable
• ESG disclosures reconcile to underlying operational data, calculations, and evidence

Each of these procedures is reasonable on its own. Together, they create a workload that is increasingly difficult to execute using manual, sample-based approaches.

Why sampling is becoming a risk, not a safeguard

Sampling has long been a cornerstone of internal audit methodology. It exists for a simple reason: reviewing everything was historically impractical.

But modern audit environments have changed.

High-volume payment runs, automated posting logic, and system-driven controls mean that issues no longer cluster neatly inside small samples. As a result, internal audit teams face growing risks when relying solely on limited testing:

• Control breaches may fall outside selected samples
• Errors are discovered late in the audit cycle
• Manual matching and filtering consumes disproportionate time
• Evidence becomes fragmented across spreadsheets and screenshots
• Audit conclusions become harder to defend

In a world of digital transactions, sampling can unintentionally reduce audit confidence rather than increase it.

The shift toward data-driven internal audit assurance

Forward-looking internal audit teams are not abandoning rigor. They are redefining how assurance is achieved.

Instead of manually testing small subsets of data, they are moving toward approaches that allow for broader, more consistent verification, such as:

• Automated matching between payment runs, invoices, and general ledger postings
• AI-based extraction of key invoice fields like vendor, amount, date, and cost center
• Outlier detection to flag duplicate payments, unusual amounts, or non-standard vendors
• Expanded sample sizes without expanding manual workload
• Automated recalculation of royalties based on contract terms and usage data
• Variance analysis between expected and recorded values
• Validation of ESG metrics against source data and documented methodologies

The goal is not automation for its own sake. It is stronger assurance with clearer evidence.

What this means for internal control evaluation

When verification becomes more systematic, internal audit outcomes improve in measurable ways:

• Control design documentation becomes clearer and more defensible
• Policy breaches surface earlier instead of during final review
• Fraud risks are easier to detect and substantiate
• Misclassifications are identified before reporting deadlines
• ESG disclosures are supported by traceable evidence
• Auditors spend less time gathering data and more time applying judgment

In practical terms, internal audit shifts from manual execution to analytical oversight.

Where excel still plays a central role

Despite advances in audit technology, Excel remains the operational backbone for many internal audit teams. It is where testing happens, reconciliations are built, and conclusions are formed.

What is changing is how work inside Excel is supported.

Not as a replacement for auditors. Not as a black box. But as a way to help internal audit teams scale verification work, expand coverage, and strengthen assurance, without leaving the tools they already rely on.

For internal audit, that evolution may be less about adopting new methodologies, and more about finally modernizing how the obvious gets verified.