Governance. Risk. Compliance. Cybersecurity.
MAST Consulting Group - Governance, Risk, Compliance and Cybersecurity Logo
Deliverables

Deliverables — Internal Audit (Co-sourced & Outsourced)

Every Internal Audit (Co-sourced & Outsourced) engagement ends with a defined evidence pack — policies, registers, technical reports and an executive summary — owned by your team and reusable across audits.

  • ISO/IEC 27001 Certified
  • ISO/IEC 27701 Certified
  • ISO 9001 Certified

Delivered by an ISO/IEC 27001, 27701 & 9001 certified organisation

Programme governance artefacts

  • Programme charter and steering deck
  • RACI matrix across business, IT, security, legal and audit
  • Risk register with treatment plans and owners
  • Compliance roadmap with quarterly milestones
Governance pack — every item delivered

Checklist titled "Governance pack — every item delivered" with 4 items, every item marked complete: Programme charter and steering deck; RACI matrix across business, IT, security, legal and audit; Risk register with treatment plans and owners; Compliance roadmap with quarterly milestones.

  • Programme charter and steering deck
  • RACI matrix across business, IT, security, legal and audit
  • Risk register with treatment plans and owners
  • Compliance roadmap with quarterly milestones

Policy and process library

  • Audit universe and risk-based annual plan
  • Working papers, test scripts and sampling rationale
  • Findings register with risk rating and owner
  • Quarterly audit committee report

Technical evidence

  • Asset inventory with classification and ownership
  • Vulnerability scan reports with prioritised remediation
  • Penetration test report with attestation letter
  • Configuration baselines and hardening evidence for critical systems
  • Logging and monitoring coverage matrix against MITRE ATT&CK
  • Backup, restore-test and DR exercise evidence
Typical evidence volume per domain

Horizontal bar chart titled "Typical evidence volume per domain". Values: Asset inventory with classification 12 items, Vulnerability scan reports with prio 19 items, Penetration test report with attesta 26 items, Configuration baselines and hardenin 33 items, Logging and monitoring coverage matr 12 items, Backup, restore-test and DR exercise 19 items.

  • Asset inventory with classification
    12 items
  • Vulnerability scan reports with prio
    19 items
  • Penetration test report with attesta
    26 items
  • Configuration baselines and hardenin
    33 items
  • Logging and monitoring coverage matr
    12 items
  • Backup, restore-test and DR exercise
    19 items

Audit-facing pack

  • Statement of Applicability or equivalent scope statement
  • Internal audit report with management response
  • Management review minutes and CAPA log
  • External audit liaison notes and clarifications log
Audit-ready evidence pack

Checklist titled "Audit-ready evidence pack" with 4 items, every item marked complete: Statement of Applicability or equivalent scope statement; Internal audit report with management response; Management review minutes and CAPA log; External audit liaison notes and clarifications log.

  • Statement of Applicability or equivalent scope statement
  • Internal audit report with management response
  • Management review minutes and CAPA log
  • External audit liaison notes and clarifications log

Knowledge transfer

We do not leave you dependent. Every engagement includes a structured handover: a 90-day operating playbook, recorded walkthroughs of every artefact, and two post-go-live clinics with the delivery team.

Next: Timeline