Shadow audit functions: how to avoid audit fatigue

Most organisations today run far more “audit-like” activity than what’s on the internal audit plan.

Internal audit is doing its risk-based work. Internal control teams are running design reviews and key control testing. Compliance, IT, ESG and external consultants are all running their own reviews, health checks and mock audits. All of this is well-intentioned: everyone is trying to protect the organisation. But for the business, it often feels like one thing: constant audit fatigue. “Didn’t we just do this?” “Why are we sending the same evidence again?” “Which action list matters?”

That fatigue is now a real risk in itself. It erodes trust, encourages defensive behaviour and dilutes the impact of genuine red flags. This is exactly where chief audit executives (CAEs) and heads of internal controls have a shared opportunity. Not to centralise power, but to orchestrate assurance so it is coordinated, lighter for the organisation, and more impactful.

What shadow audit functions are – and why they matter

Shadow audit functions are structured reviews that test controls, compliance or process performance but sit outside formal internal audit. They might be called reviews, assessments, inspections, readiness checks or mock audits – but to the people being reviewed, they feel like “another audit”.

None of this is inherently wrong. In many cases these reviews spot issues early and strengthen readiness. The problem is when they grow organically, with no single view of who is reviewing what, where and when. That is when they start to overlap, to create conflicting or unclear priorities and wear people out.

How uncoordinated reviews create organisational fatigue

From a risk and governance perspective, audit fatigue is not just an annoyance; it changes behaviour. When reviews are not orchestrated:

• The same teams are hit repeatedly, especially areas like finance, IT and key business units.
• Teams spend hours rebuilding similar evidence packs for different reviewers.
• Managers receive multiple, unaligned action lists and end up choosing what to respond to.
• Over time, people learn to “perform for reviews” instead of exposing weaknesses.
• Real risks get crowded out by noise.

For internal audit chiefs, this undermines independence and impact: your reports become just one more voice in a crowded space. For internal control leaders, it makes control ownership look like a compliance burden, not a management tool. The risk is simple: you invest heavily in assurance, but the organisation cannot absorb or act on it effectively.

A shared mandate for internal audit and internal controls

The good news is that CAEs and heads of internal controls are uniquely positioned to fix this together. Internal audit brings independence and a direct line to the audit committee. Internal controls bring proximity to processes, control owners and day-to-day operation. Together, they can set a new expectation: One coordinated assurance story, with the minimum necessary disruption for the business.

That does not mean stopping other reviews or forcing everyone into one function. It means giving the organisation:

• one view of where assurance activity actually lands
• simple rules that reduce duplication and fatigue
• a single, coherent set of messages and priorities

Practical steps to orchestrate assurance

1. Build a shared map of who is reviewing what

You cannot coordinate what you cannot see. Internal audit and internal control should jointly sponsor a light but complete assurance map to map out all recurring reviews. For each, capture owner, scope, frequency, typical evidence requested, and which entities/processes are affected. Overlay the last 12–18 months: which locations, functions or processes were reviewed, how often, and by whom?

This simple mapping immediately highlights hotspots of fatigue and obvious overlaps. It also gives you a concrete artefact to take to the executive team and audit committee: “Here is how much assurance we are placing on the organisation right now.”

2. Agree simple coordination rules that protect the business

Once you can see the landscape, CAE and head of internal controls can propose a few high-value, low-politics rules, framed as business protection, not governance for its own sake, for example:

• No-go periods: agree blackout windows where non-urgent reviews do not hit critical teams (e.g. quarter-end close, peak trading weeks).
• Bundling: if three functions want to review the same country or process in the same quarter, explore joint or back-to-back work with shared walkthroughs and evidence, instead of three separate visits.
• Single evidence pull: create a shared repository for standard artefacts (org charts, key policies, process maps, standard reports) so the business doesn’t rebuild the same pack for each review.
• One issue list per area: ensure all findings touching a specific entity or process feed into a single, prioritised action tracker. Managers see one list, not five. These are easy to sell internally because they reduce friction for everyone – including other assurance providers.

3. Clarify roles so reviews complement each other

A lot of fatigue comes from blurred roles. A simple model, agreed and messaged jointly, can defuse this. For example:

• Internal audit: owns independent assurance for the board; focuses on overall design and effectiveness of risk management and internal control; avoids taking on day-to-day control testing that belongs to management.
• Internal controls: owns the control framework, documentation and management testing; acts as the hub for coordinating control-related reviews and connecting results back into the framework.
• Other assurance providers (compliance, IT/security, ESG, external): bring specialist depth; align scopes and timing through the internal controls hub; share results into the common issues log and dashboards.

4. Ensure coordination with a few simple tools

You don’t need a big platform to start. A small toolkit works:

• a group assurance calendar showing major reviews by entity and process,
• a simple assurance map showing which risks and processes are covered by which providers,
• a shared issues and action tracker that aggregates findings,
• a short guidance note clarifying what can be called an “audit”, how reviews are coordinated, and how results are recorded and escalated.

Designed well, these tools make life easier for reviewers and the business at the same time.

How to message it so people collaborate, not resist

The biggest risk in launching coordinated assurance is positioning it right. Done clumsily, it sounds like a power grab. Done well, it feels like a service. A few messaging principles help CAEs and internal control chiefs land this smoothly.

• Lead with business pain, not governance: Start from what everyone already feels: repeated visits, duplicate evidence requests, competing action lists. Position the initiative as a fix: “We’re not adding another layer. We want to spend the same assurance effort in a smarter, lighter way.” Use language like “reduce noise”, “protect scarce expert time”, “one set of priorities instead of five”.
• Make it clearly pro-collaboration, not anti-anyone: Other assurance functions are sensitive to the idea of being policed. Emphasise what they gain:

– less pushback from the business via better timing and bundling

– more visibility, because their findings feed into board-level views

– shared templates, evidence and control documentation so they don’t start from scratch.

Message it as a support package, not a constraint.

• Present internal audit and internal controls as a united front: Where there’s tension between audit and internal controls, others will exploit it. Launch this as a joint initiative:

– present together to executives and assurance stakeholders

– use “we” language: “We both hear the same feedback… we want our combined footprint to be lighter and clearer…”

Make clear that internal audit is not there to approve every review, and internal controls is not there to take over programmes, but that both are sponsoring better coordination.

• Emphasise sequencing and visibility, not veto power: Be explicit:

– “You stay in charge of what you review in your domain. We want to help with when, how often and how it all fits together.”

– “If you have a regulator-driven review, that’s non-negotiable; our job is to help it land with less disruption.”

Centralising visibility and planning, not technical content, is much easier for others to accept.

• Give the business a clear “what’s in it for me”: For local leaders and process owners, keep it simple:

– fewer, better coordinated visits

– one action list per area

– fewer last-minute surprises via a visible assurance calendar

– show a “before vs after” example where a country currently sees 4–5 reviews per year, and how bundling and planning could cut that down while increasing clarity.

Shadow audit functions aren’t going away. In a complex risk and regulatory environment, leaders will always look for fast, focused confirmation outside the formal audit plan. The real question is whether that activity grows organically – overlapping, confusing and exhausting the organisation – or is orchestrated in a way that supports clearer priorities and stronger internal controls.

For CAEs and heads of internal controls, this is a chance to reposition your functions as orchestrators of assurance, not just additional reviewers. The priority is simple: protect the organisation from both risk and review overload, and give managers one coherent view of what truly needs fixing.

If you want to turn these ideas into practice, the next step is straightforward: build a joint assurance map and calendar, and use it to start a constructive conversation with other assurance providers and your audit committee. From there, you can layer in templates, trackers and frameworks – using your own tools or resources similar to those available via internalcontroltoolbox.com – to make coordinated assurance part of how you run the business.