Many internal audit teams choose to start small when implementing TeamMate — focusing on core workflows to ease adoption and avoid overwhelming users. This is a smart approach, but often it means that valuable functionality remains untapped. We help you build on your foundation by expanding usage across modules, optimising configuration, and staying ahead of new releases. Whether it is unused functionality, newly released features, or automation opportunities, we ensure you maximise the value of your existing investment. Our experts work alongside your team to align the system’s capabilities with your audit goals, maturity, and evolving needs.

TeamMate is not just for internal audit—it is a powerful platform that can support risk, compliance, quality, finance, and other assurance functions. Many organisations begin with internal audit and later recognise the benefits of aligning methodologies, reporting, and workflows across departments. BR1GHT helps you scale your TeamMate implementation beyond audit by designing shared frameworks, enabling secure role-based access, and tailoring configurations for each line of defence. We ensure governance teams work more collaboratively, efficiently, and with greater insight—on one integrated platform.

To deliver real-time insights and maximise efficiency, internal audit teams need more than a standalone system—they need integration. BR1GHT helps you connect TeamMate with other platforms across your organisation, including risk, compliance, issue tracking, analytics, and enterprise systems. Integration enables streamlined workflows, reduces manual effort, and ensures that your audit activities are aligned with the broader governance landscape. We make sure your audit function is connected, data-driven, and positioned to deliver greater impact across the organisation.

Strong insights rely on strong data. Many internal audit teams underuse TeamMate’s capabilities when it comes to analytics and reporting—missing opportunities to drive value and improve risk coverage. At BR1GHT, we help you enhance how data is captured, analysed, and presented within TeamMate. Whether it is building dynamic dashboards, improving KPI tracking, or unlocking insights from existing data, we strengthen your reporting and decision-making capabilities. We ensure your audit outputs are not only accurate, but also impactful and easy to communicate to stakeholders.

The governance environment can be described as informal, with a focus on organising governance and initiating risk treatment. This is not a desirable situation, but can be found in the following cases: 

• In sectors where few risks are present and compliance plays little to no role – creative institutions or architectural firm. 

• In start-ups or organisations that have undergone significant changes (e.g., mergers or new ownership). These organisations need to (re)structure themselves. 

• In small or medium-sized organisations that have never dealt with control issues (such as process errors or fraud) or are unaware of them. These organisations have never truly felt the need for a higher level of internal control. 

• In companies where management lacks knowledge of internal control and, as a result, does not see its importance, lacks ambition, or the decisiveness to progress to Level II. 

• There is limited knowledge of internal control and, consequently, a low level of intrinsic ambition. Internal control is often viewed as unnecessary and as a cost burden. 

• Sometimes, an incident has triggered a sense of urgency; the organisation no longer wants to keep reacting and seeks to implement preventive measures. 

• Often, one or more specialists in internal, financial, or operational control are brought in to analyse the situation and provide recommendations for improvement. 

• These specialists usually remain involved to implement the improvements: the auditor becomes the organisation’s born controls specialist. 

The governance environment can be described as standardised, with a focus on the design and implementation of control measures. In some cases, the first line has started executing these measures. This is considered the minimum level of internal control. The organisation has evolved from an initially reactive approach to risk management toward a more proactive mindset focused on implementing control measures. Instead of putting out fires after incidents, preventive control measures are proactively formulated and implemented based on structured risk analyses.

This level of internal control can be found in:

• Unregulated companies without a high-risk profile – simple local trading and manufacturing organisations, consultancy firms, etc.
• Mid-sized organisations under pressure to be financially and operationally predictable – internal (e.g., from an international holding company) or external (due to supply chain requirements).
• Organisations where quality is a key factor in maintaining competitive advantage (often driven by customer requirements) – service sector such as telecommunications & media, universities, universities of applied sciences, and hospitals.
• Organisations subject to mandatory audits, where the auditor can no longer rely solely on a substantive audit approach and instead relies on control activities performed by the organisation itself.

• Strong need for good governance with a defined risk profile, and a solid system of internal controls.
• Basic governance structure with roles and responsibilities for leadership and oversight, as well as policies, guidelines, and procedures.
• Oversight is present – via a holding or an active supervisory board. Risk or audit committees are still relatively uncommon.
• Good level of specialists – risk managers, internal controllers, (quality) auditors, and security officers – organised across the first, second, and third lines.
• The second line identifies controls to be carried out by the first line. These controls are formally designed and seen as the baseline controls, typically based on objective best practice frameworks such as COSO, COBIT, or ISO standards.
• Ownership in the first line is often limited. Executing control measures is sometimes perceived as “additional work,” carried out with some resistance or delegated to an internal control function.
• Where law & regulation or guidelines apply a compliance officer is appointed.
• The external auditor is the party that tests the operational effectiveness of controls. The auditor is the organisation’s “control conscience,” and their findings are used as a checklist to achieve adequate control.
• A third line or internal audit function is limited present. If an internal auditor is appointed, their core responsibility typically lies in stimulating collaboration.

The governance environment can be described as managed with a focus on the providing assurance that all controls are working (have worked over a certain period) – operating effectiveness. This assurance can be provided (on specific areas) by third parties or by the organisation herself (internally and to third parties via voluntarily oversight).

• Commonly seen across entire organisations in regulated sectors such as the financial industry (e.g., Basel III), pharmaceuticals (FDA/EMA), energy providers, and telecom.
• Organisations where specific parts of operations are regulated – multiple tax jurisdictions, construction companies (safety), financial start-ups (AML/PSD3), international trading companies (export controls involving restricted countries).
• In specialised domains, such as technologically advanced organisations where security incidents can cause significant disruption.
• Listed companies, where the control environment as a whole is subject to external audits (e.g., financial reporting requirements under SOx).
• IT service providers, where part of the client’s control execution is outsourced.

• Internal control is essential because the license to operate — and therefore business continuity — is at risk. This need is deeply embedded in the culture of checks and balances throughout all layers of the (partially) regulated organisation.
• Monitoring and (centralised) reporting through combined assurance are vital for effective oversight.
• The Three Lines Model is normatively implemented (sometimes as a mandatory regulatory requirement). Each line has clearly defined charters, effectiveness is monitored via KPIs, and there is a high degree of collaboration between the lines.
• Emphasis is placed on testing operational effectiveness of controls by the business itself. In some cases, the business is supported by an internal control function.
• Technology plays a critical role. Integrated GRC solutions are often used, with the aim of automating as many control measures as possible to increase effectiveness (fewer human errors) and reduce costs.
• In large international organisations, functional silos may develop within compliance areas, sometimes supported by their own specific technologies.
• Parts of operations are frequently assessed by third parties (such as external auditors) and issued with formal assurance reports. Examples include ISAE 3402 for IT service provider control frameworks, COS 3000, or SOC 1, 2, or 3 reports.
• More mature organisations strive for transparency with regulators, reporting on the functioning of control measures and proactively sharing all findings, issues, and mitigating actions.
• The same level of transparency is often extended to partners or customers (from the perspective of an IT service provider) when there is a shared interest in joint value creation. As transparency increases, the need for costly external assurance reports may diminish.

The governance environment can be described as optimised, with a focus on conveying trust to specific stakeholders and/or society as a whole.

Factors contributing to this context include:

• The general typology of the organisation.
• The company’s specific risk profile.
• The number of years the organisation has been active and stable.
• The quality of management and the presence of key actors, including their insights and expertise.
• The ambition and decisiveness of the leadership.

This level is defined by:

• • Core business processes involve minimal human intervention and are highly automated – platforms, content providers, banks, etc.
  • Transparency and trust is the norm to add value – organisations under public scrutiny (due to activism or public pressure), or to those functioning as partners in a value chain technologically integrated (e.g., Bol.com and all its suppliers and partners).
  • Governance is integrated with that of partners. Interdependencies are made explicit and translated into shared responsibilities, control measures, and information needs – IT-service providers.
  • All governing bodies require unified insights into the quality of the internal control system. These insights are provided via dashboards with drill-down capabilities.
  • (Integrated) dashboards are shared with partners (or co-developed and co-managed), where the organisation has reversed the reporting flow to on-demand insight — meaning the partner accesses data whenever they wish, instead of waiting for periodic reports.
  • To build trust, transparency is essential. And to be fully transparent, control measures must function continuously. Any issue can create uncertainty. The nature of controls shifts towards fully automated, repressive (impact-limiting) measures, including automated remediation.

Internal audit adds real value when its structure, processes, and team capabilities are aligned with organisational needs and stakeholder expectations. BR1GHT helps you assess your current operating model and define a realistic path forward. Whether you need to build a solid foundation or elevate to a leading practice function, we support you with practical frameworks, hands-on improvements, and tailored development initiatives. Our support covers everything from audit planning and reporting to skills development and team structure.

Strong governance relies on clear roles and effective collaboration between the three lines. BR1GHT helps internal audit work more cohesively with risk, compliance, finance, and

business functions. We clarify roles, design shared frameworks, and create integrated assurance models that ensure audit adds value without duplicating effort. We support CAEs in positioning internal audit as a central player in the governance landscape—aligned but independent, and always focused on driving collective risk oversight.

For those Internal Audit functions, who have the ambition to provide independent assurance, and be recognised as such, and those who want to perform an active role in joined or integrated (SOX) audits together with their External Auditor, we provide the following solutions (please read our enclosed article “The professional Internal Audit function – gaining recognition and adding business value as Internal Audit”:

• Co-ordination of the External Quality Assessment (EQA) via a highly experienced CIA. This co-ordination can include a Readiness Assessment, support in initial improvement, the Self-Assessment, and or the actual EQA. All our services include an assessment of best practices and technology used.

• Co-ordination of IIA certified Quality Services. Competent, independent validators who are well-versed in the quality assessment methodology to provide an independent validation of the internal audit function’s self-assessment. In addition to reviewing the self-assessment, the validator also substantiates work completed by the self-assessment team and interviews selected senior management. Upon conclusion of the SAIV, the Quality Services validator will provide a validation report of the internal audit function’s SAIV report as well as any additional successful practices, conformance gaps, and enhancement opportunities.

• Readiness Assessments. The Gap Assessment service offering is often helpful to newly hired CAEs and those internal audit activities preparing to begin efforts to conform to the
• Support and best practice technology to:
  • Perform the internal Quality Assessments,
  • Be able to perform joined audits with the External Auditor (so they comply with ISA 610) and realise the mentioned benefits in audit efforts, timing and audit costs.
  • Realise an effective and efficient integrated SOX-audit.
  • Pre-rotation assessments (done by Internal Audit) to realise best practice internal controls before mandatory audit rotation and safe costs.

The internal audit function must be equipped to respond to change—be it new risks, organisational transformation, or shifting expectations. BR1GHT helps you build agility into your audit approach, enabling quicker reactions, dynamic planning, and flexible delivery. At the same time, we help you strengthen resilience—ensuring the function remains effective and relevant through change. From embedding adaptive planning to navigating strategic shifts, we support you in becoming a forward-looking, value-adding function.

Strong internal audit functions rely on capable teams that continuously develop their skills and keep up with system and methodology changes. BR1GHT offers targeted training and coaching programmes for both TeamMate Champions and Chief Audit Executives. Whether you need to enhance operational effectiveness, align your system with best practices, or add strategic value through audit, we have a programme that fits your needs. From one-off sessions to ongoing support, we equip your team to maintain, improve, and lead with confidence.