Senior leadership without the cost of a full-time hire.
Drapalski Consulting provides infrastructure and strategic advisory for your business’ next growth phase.
Internal Audit & Governance
Internal audit is not a control exercise. It is a decision-support function for leadership.
Most organizations have policies and controls on paper. Very few have systems that are tested, structured, and reliable in practice.
Internal audit provides independent visibility into whether governance, risk, and control systems actually work—not just whether they exist.
What This Means in Practice
We focus on:
Whether governance structures are clearly defined and operating
Whether risks are identified, prioritized, and monitored
Whether controls are designed and functioning as intended
Whether reporting reflects operational reality
Whether leadership has decision-ready visibility
Role Within Your Organization
Internal audit operates independently from management.
Its role is to:
Identify control gaps before they become issues
Surface risks not visible in reporting
Validate governance frameworks in practice
Provide clear, structured insight to leadership
This is not retrospective review. It is forward-looking control and risk visibility.
Internal Audit & Governance Coverage
Internal audit spans governance, risk, and control environments. We structure and assess the full system—not isolated components.
Delivered remotely, on a fractional or project basis. Without the cost and rigidity of a full-time employee.
Scope
S1
Internal Audit
Internal audit setup or transformation, according to the Institute of Internal Auditors; Risk-based audit planning and execution; Co-sourcing or outsourced internal audit
S2
Governance & Oversight
Governance structure and decision rights; Board / Audit Committee setup and reporting lines; Three Lines of Defense model design
S2
Risk Management
Enterprise risk management (ERM) Bottom up risk identification, scoring, and prioritization; RIsk weighting, quantification and prioritization model; Risk appetite and tolerance definition
S3
Internal Controls (ICS)
Financial and operational controls according to Association of Certified Fraud Examiners; Process-level controls (e.g. Order-to-Cash, Procure-to-Pay) Entity-level controls and governance controls
S5
Compliance & Regulatory
Compliance management system (CMS), IDW PS 980; U.S. DoJ Criminal Division Evaluation of Corporate Compliance Programs (Updated 9.2024); Policy framework and code of conduct; Regulatory readiness (e.g. ICS, SOX-like, GDPR interfaces)
S6
IT Risk & Data Controls
IT general controls (ITGC); Access management and segregation of duties; Data governance and system control environment; ISO/IEC 27002 ISO/IEC 27001
Where control is missing—and where it matters.
Scope defines what we cover. Deliverables define what you can operate.
Delivered remotely, on a fractional or project basis. Without the cost and rigidity of managing a full-time employee.
YOU’RE BRINGING IN GOVERNANCE LEADERSHIP.
Drapalski Consulting is founder-led.
You work directly with a CPA, CIA, and CFE operating at CFO and internal audit level not a layered team of junior consultants. No handoffs. No theoretical frameworks. No unnecessary complexity.
Certified Internal Auditor (CIA) and Certified Fraud Examiner (CFE)
Cross-functional experience across Internal Audit, Risk Management, Finance, and Corporate Governance
Based in Germany with deep US–EU business exposure
Fluent in finance, accounting, and commercial reality
Clear communicator for founders, boards, banks, and investors
Practical, decision-focused — not theoretical
Most companies have policies and controls on paper. Very few have systems that are robust.
Deliverables (What You Actually Receive)
Internal Audit & Governance Outputs
OUTPUT
O1
Governance Documentation
Governance framework document; Roles and responsibilities (RACI matrix); Internal Audit Charter / Risk Charter; Board and Audit Committee reporting templates
O2
Risk System
Structured risk register (Excel / system-ready); Risk scoring model and prioritization logic; Key Risk Indicators (KRIs) with thresholds; Risk dashboards and heatmaps
O3
Internal Control System (ICS)
End-to-end process maps (visually structured); Risk–control matrices (RCMs); Documented, testable controls; Control gap assessment and remediation plan
O4
Internal Audit Package
Audit universe (full scope of auditable areas); Annual / rolling risk-based audit plan; Audit programs and testing procedures; Audit reports with findings and ratings; Audit working papers and evidence structure
O5
Audit Reports
Findings log with severity ranking; Action plans with owners and deadlines; Issue tracking tracker (Excel or system-based); Retesting and closure validation documentation
Typical duration: 2–4 weeks
O6
Compliance & Audit Readiness
Compliance Management System (CMS) documentation; Compliance Program Handbook: Strategy, documentation, trainnings, monitoring and resrouces framework (core policies and controls); External audit readiness package (evidence + controls mapping)
O7
Reporting & Decision Infrastructure
Board / investor reporting packs; Internal audit reporting (monthly / quarterly); KPI and KRI dashboards; Risk reporting templates
O7
Embedded Implementation
Control verification and monitoring embedded into operations Workflow implementation (automations, ERP or lightweight tools); Audit cadence and governance routines established Ongoing governance and audit sparring
Take Action Now
LET’S BRING independent advisory TO YOUR ORGANIZATION.
If governance is fragmented, controls are unclear, or audit pressure is increasing— we establish the structure required to operate with control.
