Governance. Risk. Compliance. Cybersecurity.
MAST Consulting Group - Governance, Risk, Compliance and Cybersecurity Logo
Timeline

Timeline — Internal Audit (Co-sourced & Outsourced)

A realistic week-by-week view of how Internal Audit (Co-sourced & Outsourced) runs. Timelines compress for smaller scopes and extend for multi-entity or multi-site programmes; this baseline assumes a mid-size enterprise.

  • ISO/IEC 27001 Certified
  • ISO/IEC 27701 Certified
  • ISO 9001 Certified

Delivered by an ISO/IEC 27001, 27701 & 9001 certified organisation

Week-by-week plan

WeekPhaseKey activitiesOutput
Weeks 1–3Risk AssessmentEnterprise-risk-aligned annual audit plan.Signed-off risk assessment pack and gate review
Weeks 4–6ExecutionQuarterly audits across IT, cyber, privacy and compliance.Signed-off execution pack and gate review
Weeks 7–9ReportingAudit committee reporting and KPI dashboards.Signed-off reporting pack and gate review
Weeks 10–12Follow-upManagement action tracking and validation.Signed-off follow-up pack and gate review
12-week delivery plan

Gantt-style timeline titled "12-week delivery plan" over 12 Weeks with 4 phases: Risk Assessment from Week 1 to 3; Execution from Week 4 to 6; Reporting from Week 7 to 9; Follow-up from Week 10 to 12.

Risk Assessment
Signed-off risk assessment pack and gate review
Execution
Signed-off execution pack and gate review
Reporting
Signed-off reporting pack and gate review
Follow-up
Signed-off follow-up pack and gate review

What accelerates the timeline

  • Executive sponsor engaged from day one with weekly steering attendance.
  • Existing asset inventory, network diagrams and HR org chart available.
  • GRC tooling already deployed or selected (Vanta, Drata, Archer, ServiceNow).
  • Workforce available for awareness training within the engagement window.
Conditions that compress delivery

Checklist titled "Conditions that compress delivery" with 4 items, every item marked complete: Executive sponsor engaged from day one with weekly steering attendance.; Existing asset inventory, network diagrams and HR org chart available.; GRC tooling already deployed or selected (Vanta, Drata, Archer, ServiceNow).; Workforce available for awareness training within the engagement window..

  • Executive sponsor engaged from day one with weekly steering attendance.
  • Existing asset inventory, network diagrams and HR org chart available.
  • GRC tooling already deployed or selected (Vanta, Drata, Archer, ServiceNow).
  • Workforce available for awareness training within the engagement window.

What typically extends it

  • Multiple legal entities, brands or geographies in scope.
  • Significant cloud migration running in parallel.
  • Open audit findings or regulator enforcement requiring remediation first.
  • Mergers, divestitures or system replacements mid-engagement.
Next: Pricing & Engagement