Assurance

Internal audit, delivered alongside your team.

Assurance gives your organisation a full internal audit function without the cost and rigidity of the Big 4. We work alongside your existing team (co-sourcing) or run the function for you (outsourcing), delivering risk-based annual plans, fieldwork, board-ready reports, and remediation that is actually tracked to closure. The work meets the standards your audit committee and regulator expect, and you keep the evidence and the platform when the engagement ends. We call it co-assurance: assurance built with your team and your board, not handed down and billed by the hour.

When to co-source, and when to outsource

Co-sourcing suits organisations that already have an internal audit function but need more capacity or specific skills, for example IT, data protection or AI governance. You keep control; we strengthen the work. Full outsourcing suits organisations that do not yet have a function, or whose board wants a fully independent one, where we run internal audit end to end and report to your audit committee.

In both cases the method is the same, the reporting is the same, and the evidence stays with you. You can start with co-sourcing and move either way as you grow.

What we cover

Co-sourced and outsourced internal audit

We add capacity and method to your team, or run the whole function for you. Either way you get a risk-based plan, fieldwork, and reporting your audit committee can rely on.

Systems and IT audits

Application and general IT controls, user access and segregation of duties, change management, and reviews of the core systems your business runs on.

Data protection reviews

Readiness for the Kenya Data Protection Act and the Office of the Data Protection Commissioner (ODPC): records of processing, controller and processor obligations, and breach response.

ISO 42001 and AI-governance readiness

AI inventories, risk and impact assessments, model and vendor governance, and the management system that ISO 42001, the standard for governing AI, expects.

How an engagement runs

  1. 1

    Scope and risk assessment

    We agree the audit universe and the risks that matter most to your board and your regulator.

  2. 2

    Annual plan

    We turn that into a practical, risk-based plan with clear timing and ownership.

  3. 3

    Fieldwork

    Testing, evidence and work papers run on Assurance OS, so every conclusion is supported and reviewable.

  4. 4

    Reporting

    Findings, ratings and recommendations go to management and the audit committee in plain language.

  5. 5

    Remediation and follow-up

    Actions are tracked to closure, with overdue items escalated, so issues actually get fixed.

Why teams choose Murikah

Senior judgement

The work is led by senior practitioners and runs to the IIA Global Internal Audit Standards, not handed to juniors.

A platform you keep

Your evidence and reporting live in Assurance OS, and the records stay with you when the engagement ends.

Regulatory fluency

We work to SASRA, Central Bank of Kenya and ODPC expectations and the IIA Global Internal Audit Standards.

Fair pricing

Big-4-grade work without Big-4 fees, scoped to the mid-market.

Questions

Frequently asked questions

What is co-sourced internal audit?

Co-sourcing means we work alongside your existing internal audit team rather than replacing it. You keep ownership and institutional knowledge, and we add capacity, methodology and tooling where you need them, for example specialist IT or AI-governance work, or simply more hands during a busy plan. It is a practical middle ground between hiring and full outsourcing.

How is this different from hiring the Big 4?

You get the same rigour and independence, with three differences. The work is led by senior practitioners throughout, not staffed down to trainees. It runs on our own platform, so reporting and remediation are faster and the evidence stays with you. And it is priced for the mid-market, without long lock-in. We call it co-assurance: built with your team and your board.

Can you work with our existing internal audit team?

Yes. That is the most common way we work. We supplement your team on specific audits, bring methodology and a platform, and help raise the function to the standard your audit committee expects. Where you have no in-house team yet, we can run the function and help you build one over time.

Which regulators and standards do you cover?

For SACCOs we work to SASRA (the SACCO Societies Regulatory Authority) expectations. For banks, microfinance institutions and fintechs we align to Central Bank of Kenya requirements. For data protection we follow the Kenya Data Protection Act and the ODPC. Our internal audit work follows the IIA Global Internal Audit Standards, and our AI-governance work follows ISO 42001.

How quickly can you start, and how are you priced?

A focused engagement can usually start within a few weeks of scoping. Pricing depends on the size of your audit universe and whether you choose co-sourcing or full outsourcing, and is agreed up front so there are no surprises. Tell us your context on a short call and we will give you a clear proposal.