The Audit mindset shift: from policing to partnering w/ Tom Edwards & Puru Pawar

How do you keep pace with innovation when it never stops moving?

That’s the challenge facing every Audit leader today. In an age where technology evolves faster than audit cycles, staying relevant isn’t about doing more of the same. It’s about rethinking what audit really means.

In this fifth edition of Behind the Controls, I spoke with Puru Pawar, an experienced ex-Big 4 Internal Audit executive with over 20 years in the field, including 17 at Philips. From transforming audit functions to embedding a culture of foresight, Puru shares his perspective on how to stay ahead in a fast-moving world.

“It all starts with mindset”

When asked how internal audit can keep up with the relentless pace of innovation, Puru didn’t hesitate.

 "It starts with mindset. Internal audit’s job is to embed a risk culture in the organisation.”

That, he explained, means going beyond the checklist of traditional audits and asking the harder strategic questions: Where is the business headed? What risks could derail innovation? Are those risks being addressed? Are we evolving fast enough?

Puru illustrated the point with a well-known example:

 “Look back at Nokia. They were once the biggest cell phone company in the world. But they couldn’t keep pace with innovation. The question I’d ask is: did internal audit at Nokia provide the foresight to the board that if they didn’t embark on digital transformation, they’d be left behind?”

For Puru, that’s where modern audit comes in: not just reporting on the past, but guiding decisions about the future.

Moving beyond the traditional

Internal audit is often seen as a guardian of compliance. Puru sees it as something far more dynamic.

“Audit is no longer just independent and objective, it’s a strategic business partner.”

He referenced the new IIA standards, which position internal audit as a strategic enabler – a profound shift.

“You shouldn’t be seen as policing senior leadership. You should be seen as a true collaborator and integrator. Audit has the privilege to take a systemic view of the organisation, that’s powerful.” 

By engaging in advisory work with business units developing a new product line, for example - whether assessing readiness for new regulations like the EU AI Act or the NIS 2 Directive - or advising management on strategic programmes to address emerging risks, audit can provide foresight, not just oversight.

Tailoring audit for high-tech environments

Auditing a global, technology-driven manufacturer is no small feat. For example, in the MedTech industry, most medical devices, from imaging systems to connected therapeutics, are powered by embedded software, introducing a complex layer of operational and cybersecurity risk.

“With technology embedded into products, you need to understand the evolution of the products and the risks in that evolution. You collaborate with business leaders to make sure those risks are part of your audit universe.”

Effective audit in a high-tech environment means getting close to where innovation happens: understanding the engineering process, regulations, data and dependencies.

And, above all, ensuring compliance is built in, not bolted on.

“Compliance by design. It has to be embedded in the design itself. Otherwise, you end up doing a lot of repair work later, and then your auditors aren’t happy, your regulators aren’t happy.”

Building trust: partnership in action

But audit can only truly keep pace with innovation if it builds trust.

That starts by shifting perceptions from being seen as a blocker to being recognised as a strategic problem solver. Puru highlights one powerful way Internal Audit teams can do this: by adopting advisory-style engagements, especially in areas involving emerging risks.

Early on, stakeholders may be sceptical and for good reason. New approaches challenge familiar structures. But there’s room to adapt. For instance, Internal Audit can experiment with removing formal audit ratings, while maintaining rigor, revising the process, updating templates, and fine-tuning communication to encourage collaboration.

Why? In scenarios where management is still working through mitigation strategies, formal ratings may feel premature. 

“Advisory engagements can provide a better path, offering early, actionable recommendations while management develops its response.” 

The result? Greater openness, smarter alignment, and better outcomes, all while preserving audit’s independence and credibility.

And isn’t that exactly how trust is built?

Audit that drives impact: real-world examples

Looking beyond traditional audit means engaging with core strategic, operational, and compliance topics. Not just to improve processes and safeguard compliance, but to unlock business value.

To this end, Puru provides a couple of examples where Internal Audit in the MedTech sector – and, by extension, other industries – can proactively do just that: enhance compliance while driving performance.

(1) Strengthening governance & enabling revenue opportunities

Internal Audit can play a key role in reviewing how MedTech companies manage their installed base of long-life medical devices deployed across healthcare facilities. Effective oversight in this area can help organisations not only meet post-market surveillance expectations but also protect patient safety and brand reputation.

By conducting rotational audits across business units, Internal Audit teams can assess governance, reporting, data quality, and related systems, ultimately recommending structural improvements.

The result can be twofold, Puru explains: stronger compliance and risk management, and greater visibility into the installed base, enabling commercial teams to re-engage providers with targeted service and maintenance offerings.

“Proactive audit work can go beyond issue identification: it can surface hidden opportunities for growth.”

(2) Evolving from manual response to scalable protection

Another area Internal Audit can explore is how organisations manage cybersecurity vulnerabilities across connected medical devices, says Puru.

If manual patching methods are still in use, audit teams can assess whether secure remote service capabilities might offer a more scalable and resilient solution. This shift can not only improve operational efficiency, but also strengthen governance, reduce response time, and support the development of recurring revenue through remote service models.

“By identifying scalable solutions early, audit can help the business stay both protected and future ready.”

So how can Audit leaders make the switch? 

Looking ahead, Puru sees four key enablers for audit leaders who want to stay relevant:

1. Think beyond traditional auditing – move from focusing solely on financial risks and assurance to including strategic, operational and compliance risks.
2. Be a trusted business partner – create value by collaborating and advising, not just reporting.
3. Leverage technology and data – use AI-based auditing, analytics and existing tools to your advantage.
4. Invest in talent – build a team that reflects the future, not the past.

Talent: the ultimate differentiator

To Puru, the audit function is an incubator for talent.

“You can’t hire every skill under the sun. So develop good talent models. Balance career auditors with rotational ones.”

He’s a big believer in the rotational auditor model: bringing in people from different business units for fixed terms so they can share expertise and perspectives.

“When someone joins from the supply chain or informatics units, for example, they bring networks and process insights. It enriches the audit function.”

That blend of internal experience and external expertise (via co-sourcing where necessary) creates a team that can think critically and act strategically.

Final thoughts

Audit’s reputation has often been one of caution. But as organisations transform, its role is changing, from hindsight to foresight. That foresight, Puru believes, is what will protect the function’s future and its value to the organisation.

His message to other audit leaders is clear: stay collaborative as much as you stay independent and objective – that’s how you become a trusted business partner.

Because innovation won’t slow down for anyone. But with the right mindset and partnerships, internal audit can do more than keep up. It can lead.

And crucially, he adds, this transformation isn’t something a Chief Audit Executive can do alone.

“It requires empowerment from the board and the audit committee. The mandate has to come from the top.”

Over to you

How is your audit function adapting to innovation? Share your thoughts in the comments, or tell us how your team is building foresight into its audit plan.

Want more insights like this?