The AI-Ready Audit
Internal Audit for Electrical Distribution Enterprises

Team Structure and Capability Design

Build the Function Around the Work

A research-backed team structure for internal audit functions navigating modernization in complex operational environments. Written for IA leaders designing or redesigning their function -- and intended to support the conversation with executive leadership when the structural case needs to be made.

Why structure matters CAE and governance The modern CAE The target structure Upskilling priorities Design principles
Key takeaways — read this first
  • The IIA 2024 Standards define the CAE as a governance role -- not a management title. The accountabilities are non-delegable and cannot be shared with an operational workload.
  • A modern audit function requires one reporting line for execution staff, one voice on methodology, and a CAE with dedicated capacity for strategy and stakeholder relationships.
  • The Senior Auditor tier is a formal progression step -- skipping it creates a capability cliff that drives experienced staff to leave for advancement.
  • Distributed analytics capability -- not individual expertise -- is the design goal. The function should not depend on any single person's skills.
  • Salary ranges for St. Louis / Missouri market are included for each role based on 2024--2025 benchmarking data.
Design principle
Role clarity over headcount
Capability goal
Distributed analytics capability
Retention strategy
Succession by design

Why Structure Is a Strategy Decision

The way an audit function is structured determines almost everything else -- what work gets done, how consistently it gets done, and whether the function can sustain modernization without burning out the people driving it. Most small audit teams inherit their structure rather than design it. Roles are defined by who was hired, not by what the function needs to deliver. In a stable environment that is manageable. In a modernizing function operating through enterprise transition, inherited structure becomes a constraint.

The IIA's 2024 Global Internal Audit Standards reinforce that the chief audit executive is responsible for ensuring the function collectively possesses the competencies to perform the services described in the audit charter. That is not a staffing requirement. It is a structural one. The question is not whether you have enough people. It is whether your structure deploys the people you have in a way that delivers what the charter requires.

Governance Starts With the CAE

The 2024 IIA Global Internal Audit Standards establish the chief audit executive as a governance role with specific, non-delegable accountabilities: strategic planning for the function, organizational independence, board and audit committee relationship ownership, and enterprise-level risk representation. Domain III does not describe a management title. It describes a governance position.

The CAE is accountable to the audit committee for the function's effectiveness -- not just its output. That accountability requires dedicated capacity, organizational positioning, and executive access that cannot be shared with an operational workload. Deloitte's 2024 Global CAE Survey found that 82% of internal audit functions have increased their organizational impact in the last three years, while only 14% believe they have reached their full potential. The functions closing that gap are led by CAEs who operate at the governance level -- present in strategic conversations, invested in capability development, and positioned to influence the risk agenda before it surfaces as a finding.

In an employee-owned company, that governance role carries additional responsibility. ESOP plan integrity, valuation input controls, and fiduciary oversight are directly tied to employee retirement security. The CAE's scope includes those processes -- and the organizational positioning to provide credible assurance over them.

In a large-scale distribution operation, the CAE's scope extends to the operational processes that protect both margin and customer trust -- pricing discipline across a multi-location network, inventory integrity at branch level, automated control reliability in a modernized ERP environment, and the data quality that AI-driven tools depend on to produce reliable outputs. These are not abstract risk categories. They are the live risk areas of a distribution business in active transformation.

What the Modern CAE Role Requires

The IIA 2024 Global Internal Audit Standards define the CAE role by its accountabilities, not its credentials. The five dimensions below reflect what those accountabilities look like in practice.

Dimension 1
Strategic Vision and Execution
The CAE develops a documented, defensible audit strategy aligned to the organization's risk landscape and forward direction -- updating it dynamically as conditions change rather than treating it as an annual deliverable. IIA 2024 Standards Principle 9 assigns strategic planning as a non-delegable CAE accountability. Evidence of this capability includes a demonstrated ability to build and present a risk-based audit plan, translate organizational intelligence into coverage decisions, and communicate audit strategy in language that resonates at the executive and board level. A CAE whose strategy accounts for where the organization will be in three to five years -- not just where it is today -- is expressing the same long-term orientation that defines high-performing employee-owned companies. The audit plan that reflects next year's risks is already behind.
Dimension 2
Digital Fluency and AI Literacy
The modern CAE holds credible strategic conversations about AI deployment, analytics infrastructure, and digital transformation -- with technology leaders, the CFO, and the audit committee. This is a literacy requirement, not a technical one. The IIA 2024 Standards require CAEs to leverage appropriate technology and plan for emerging tools including AI. Evidence of this capability includes engagement with analytics capability development, familiarity with AI governance frameworks, and informed judgment about automated controls and data-driven decision systems.
Dimension 3
Stakeholder Relationship and Influence
The CAE builds and maintains credibility with executive leadership, the audit committee, and cross-functional partners -- and demonstrates the ability to influence outcomes without authority. Evidence of this capability includes direct executive access, cross-functional engagement, and a track record of findings and recommendations that were acted on. The CAE who arrives at strategic conversations already trusted shapes the risk agenda. The one still establishing credibility reacts to it.
Dimension 4
Professional Development Advocacy and Ownership
The CAE actively champions professional development as a leadership responsibility -- not a delegated function. Evidence of this capability includes ownership of structured development programming, cross-functional or enterprise-level development initiatives, and a track record of building team capability deliberately across different professional contexts. The IIA 2024 Standards require a dedicated approach to developing and retaining internal auditors at the CAE level. A leader who has led development as both a people manager and a functional advocate -- across different environments -- brings a broader and more durable approach to capability building than one whose development experience is limited to a single context.
Dimension 5
Governance Accountability and Board Readiness
The CAE communicates at the audit committee level -- translating findings into governance-relevant language, presenting function performance with transparency, and escalating concerns without intermediaries. Evidence of this capability includes direct committee communication experience, written reporting to executive leadership, and demonstrated judgment about what rises to governance-level attention versus what is managed operationally.

The Small Team Paradox

Small teams are not a temporary condition on the way to something larger. They are the normal operating state for most audit functions -- and the frameworks designed for large teams do not translate directly.

Scale
Most audit functions are small by design
IIA research consistently finds that the majority of internal audit functions operate with small teams -- a reality that shapes every structural and capacity decision a modernizing function must make. Small teams are not a temporary condition on the way to something larger. They are the normal operating state for most functions. The frameworks that work for large enterprise audit teams -- deep specialization, dedicated methodology units, separate quality assurance functions -- do not translate directly to teams of six to ten people.
Risk
Single points of failure compound
When a function has one person with analytics capability, one person who owns IT audit, and one person who manages external auditor relationships, any one of those people leaving, traveling, or changing roles creates an immediate coverage gap. Small teams that do not actively design against concentration risk will eventually be managed by it.
Culture
Inconsistent leadership creates compounding dysfunction
Research on small professional service teams consistently finds that dual leadership structures -- two senior leaders with overlapping authority and inconsistent styles -- are consistently associated with trust erosion and staff disengagement in research on small professional service teams. Staff receive contradictory direction, credit attribution becomes competitive, and collaboration declines. For audit functions where methodology consistency directly affects finding quality, this is not just a culture problem. It is a quality problem. The target structure below resolves this directly -- one reporting line, one voice on methodology, and a clear separation between execution leadership and strategic oversight.

From Inherited to Intentional: The Target Structure

The structure below is designed around what the function needs to deliver -- aligned to IIA 2024 Global Internal Audit Standards, industry benchmarking for small-to-mid-size functions, and the specific demands of a function operating through active modernization and ERP transition. It is a starting point for intentional design, not a universal template.

Leadership
Chief Audit Executive (CAE)
Responsible for audit strategy, audit committee relationships, executive stakeholder management, and organizational representation. This role should not carry a fieldwork assignment and should not be managing day-to-day engagement operations. Its value is external -- relationships, visibility, and organizational influence. When the top audit role is occupied primarily by fieldwork, the function loses its most important strategic asset.

In an employee-owned company, the CAE typically reports administratively to the CFO, with a direct dotted-line relationship to the audit committee or board. This structure is common and workable -- but it places a higher burden on the charter and the audit committee relationship to preserve the independence the role requires. The CFO's organization remains within audit scope regardless of the administrative reporting line, and the CAE's direct access to the audit committee must be explicitly documented and protected.

In an employee-owned company, this accountability carries additional weight. The employees are the shareholders. ESOP plan integrity, company valuation inputs, and fiduciary oversight are not abstract governance concerns -- they are directly tied to employee retirement security. A CAE who understands that context is not just protecting the organization. They are protecting the people who own it.

St. Louis / MO market range (base salary): $180,000 -- $275,000

What success looks like in this role
  • Develop and own the internal audit strategy -- a documented, defensible plan that reflects the organization's risk landscape, technology trajectory, and strategic priorities, updated dynamically as conditions change, not treated as an annual deliverable.
  • Maintain the audit committee relationship through regular pre-meeting preparation, candid disclosure of scope limitations or resource constraints, and written communications that translate audit findings into governance-relevant language.
  • Represent the audit function in executive leadership discussions, technology governance committees, ERP steering conversations, and enterprise risk forums -- not as a reporter of findings but as an active participant in shaping the risk agenda.
  • Stay current on digital transformation trends -- including AI deployment, automation risk, and data governance -- well enough to hold credible conversations with technology leaders and provide assurance over AI-driven or automated decision processes.
  • Proactively identify and propose audit scope expansions that protect the organization's most significant investments -- including independent data completeness assurance during enterprise system migrations, where IT bandwidth constraints create coverage gaps that audit is uniquely positioned to fill with analytical rigor and independence.
  • Build and maintain an external network of audit leaders, standard-setters, and industry peers that brings outside perspective into the function and raises its professional visibility.
  • Own the function's capability trajectory -- tool selection, training investment, hiring criteria, and role design -- treating the team's development as a strategic output, not an administrative task.
  • Remove organizational blockers for the team: data access delays, escalation stalls, stakeholder resistance. The CAE's organizational positioning exists to solve problems the team cannot solve from below.
  • Monitor function-level performance: detection lead time, finding significance, exception closure rates, methodology consistency, and stakeholder confidence -- and communicate that performance to the audit committee with transparency.
Operations
Senior Manager, Audit Operations
Responsible for engagement execution quality, staff development, fieldwork consistency, and the day-to-day operating standard of the audit function. This is a single-hat role. One voice on how fieldwork is conducted, one reporting line for all execution staff, and one standard for what good looks like. Having two senior leaders in this space with overlapping authority and inconsistent styles is a primary structural cause of methodology drift in small audit functions -- and the structure below is designed to eliminate it.

St. Louis / MO market range (base salary): $140,000 -- $175,000

What success looks like in this role
  • Design and own the fieldwork methodology -- how engagements are scoped, how branch visits are structured, how evidence is captured, and how findings are documented and communicated.
  • Manage the engagement calendar across all active audits, ensuring resource allocation is balanced and deadlines are realistic.
  • Conduct fieldwork quality reviews on completed working papers before findings are communicated, maintaining consistent standards across all team members.
  • Coach staff auditors and managers through fieldwork execution, providing real-time feedback rather than post-engagement critiques.
  • Serve as the single voice on how fieldwork is conducted -- eliminating the methodology inconsistency that dual-leadership structures create.
  • Track repeat findings across engagements and escalate patterns to the CAE when methodology realignment is needed.
Technology
Senior Manager, IT Audit and Assurance
Responsible for IT audit coverage, SOX program oversight where applicable, external auditor coordination, and technology risk assessments. This role is the bridge between internal audit and the external audit relationship and the natural owner of controls work that surfaces during ERP implementation and post-implementation review.

St. Louis / MO market range (base salary): $149,000 -- $190,000

What success looks like in this role
  • Plan and execute IT audit coverage across the enterprise system landscape -- ERP, WMS, HCM, pricing engines, and logistics platforms.
  • Own the external auditor relationship: coordinate requests, manage the evidence-sharing workflow, and ensure audit's deliverables meet external auditor timelines.
  • Lead controls testing for SOX-relevant processes where applicable, maintaining documentation that satisfies both internal and external standards.
  • Serve as the audit function's primary point of contact for IT governance, cybersecurity risk assessments, and technology change management reviews.
  • Assess automated controls in the new ERP environment and identify where manual compensating controls are still required.
  • Brief the CAE on emerging technology risks that should be reflected in the risk assessment or audit plan.
Execution
Managers of Internal Audit
Responsible for engagement execution, analytics application within engagements, and emerging specialist functions. In a modernizing team these roles should have differentiated development paths -- one developing depth in a specific operational domain, the other developing depth in data analytics and beginning to absorb repeatable analytics execution to reduce single-point-of-failure risk.

St. Louis / MO market range (base salary): $105,000 -- $140,000

What success looks like in this role
  • Execute engagement fieldwork end-to-end: planning, testing, finding development, and working paper documentation.
  • Apply analytics within engagements -- running population tests, interpreting exception reports, and translating data signals into audit findings.
  • Develop depth in an assigned domain (operational or analytics) as a deliberate career development path, not an informal expectation.
  • Lead branch or region visits, conducting opening and closing meetings and managing local stakeholder relationships during fieldwork.
  • Mentor staff auditors during engagements, providing real-time coaching on fieldwork technique, documentation standards, and professional judgment.
  • Contribute to methodology improvement by flagging procedures that no longer work in the new system environment and suggesting redesigns.
Development
Senior Auditor
Responsible for independent engagement execution, branch or region visit leadership, and progressive ownership of analytics and methodology components. The Senior Auditor tier is a formal progression step -- not an informal seniority designation. It reflects demonstrated readiness to lead engagements independently, mentor staff auditors, and own at least one repeatable analytics workflow. Functions that skip this tier create a cliff between staff-level work and manager-level accountability that most professionals cannot clear without external experience.

St. Louis / MO market range (base salary): $82,000 -- $115,000

What success looks like in this role
  • Execute engagement fieldwork independently -- planning, testing, finding development, and working paper documentation to a standard that requires minimal review intervention.
  • Lead branch or region visits, conducting opening and closing meetings and managing local stakeholder relationships during fieldwork.
  • Own at least one repeatable analytics workflow -- running it on schedule, maintaining threshold logic, and escalating exceptions through the defined process.
  • Mentor staff auditors during engagements, providing real-time coaching on fieldwork technique, documentation standards, and professional judgment.
  • Identify procedures that no longer work in the current system environment and bring specific redesign proposals to the Manager, not just the observation that something is broken.
  • Build depth in at least one operational or technical domain -- inventory, pricing, IT controls, financial reporting, or similar -- that creates genuine differentiation and contributes to the team's distributed knowledge base.
Development
Staff Auditors
Responsible for engagement fieldwork, branch visits, testing execution, and documentation. In the modernized model, staff auditors are expected to develop foundational analytics skills as part of their professional development -- not as an optional add-on but as a baseline expectation of the role.

St. Louis / MO market range (base salary): $60,000 -- $85,000

What success looks like in this role
  • Execute fieldwork tasks assigned by engagement managers: testing, sampling, documentation, and evidence gathering.
  • Build foundational analytics skills progressively -- starting with Excel and Power BI, advancing to the team's primary analytics platform.
  • Document working papers to a standard that would allow someone unfamiliar with the engagement to reconstruct the evidence and conclusions independently.
  • Conduct branch visits with a manager, taking increasing ownership of fieldwork tasks as experience grows.
  • Flag unexpected findings, data anomalies, or process surprises to the engagement manager immediately rather than waiting for the wrap-up meeting.
  • Take ownership of at least one repeatable analytics workflow per year, building toward the team's distributed analytics capability goal.

Salary ranges reflect 2024--2025 St. Louis / Missouri market data for base compensation only. Sources include Salary.com, Glassdoor, Robert Half, and ZipRecruiter. ESOP contributions, variable compensation, and total rewards vary by organization. SOX scope and analytics market premium push Senior Manager and IT Audit roles toward the upper end of reported ranges.

Role-by-Role Upskilling Priorities

The goal of the upskilling strategy is to distribute analytical capability broadly enough that the function is not dependent on any single person, while allowing individuals to develop depth that creates genuine career differentiation.

Chief Audit Executive
Digital strategy, AI governance, and executive leadership
The CAE does not need deep technical implementation skills -- they need enough fluency in AI, analytics, and digital transformation to hold credible strategic conversations, evaluate the function's capabilities honestly, and provide governance-level assurance over automated and AI-driven processes. Professional development should focus on strategic leadership, technology governance frameworks, and external network building.
Staff Auditors
Foundational data literacy
Excel beyond pivot tables, basic SQL for data extraction, and familiarity with the team's primary analytics platform at a user level. Training investment is low and return is high. Platforms like Alteryx have learning communities and certification programs that are accessible and self-paced.
Manager with Operations Background
Domain expertise to analytics bridge
Translating operational knowledge into analytics design. Someone who already understands what matters in a branch or warehouse environment has a shorter path to building effective inventory, cycle count, and operational KPI analytics than someone starting from a purely financial background.
Manager with Process/Methodology Background
Methodology skills applied to audit analytics design
Methodology and process improvement skills are the foundation of analytics design. Understanding process mapping, root cause analysis, and statistical thinking -- skills that translate directly to monitoring rule development and continuous improvement of audit procedures -- positions this Manager for growing scope and eventual advancement. The CAE owns methodology direction; Managers with this background are the primary execution layer for methodology implementation.
IT Audit Manager
ERP controls and data pipeline oversight
Understanding how data flows through a modern ERP, where automated controls exist and where they do not, and how to audit automated controls rather than just manual ones is the critical skill gap for IT audit roles in a post-implementation environment.

Suggested Training and Certification by Role

These recommendations reflect a mix of free and paid resources selected for relevance to the modernizing audit function. Availability and pricing may change -- verify current terms at each provider.

Chief Audit Executive
Strategic leadership, AI governance, and digital fluency
  • IIA Vision University Executive Cohort (leadership development for current and aspiring CAEs, theiia.org)
  • IIA Audit Leaders Network membership (benchmarking, peer network, CAE-specific resources)
  • ISACA CRISC -- Certified in Risk and Information Systems Control
  • NIST AI Risk Management Framework documentation (free, nist.gov)
  • Deloitte Global CAE Survey (annual, free, deloitte.com) -- benchmark reading, not a certification
  • Harvard Business Review: AI Fluency for Executives (or equivalent current offering)
Staff Auditors
Foundational analytics and standards
  • IIA CIA Part 1 -- risk-based auditing fundamentals
  • Alteryx Designer Core Certification (free, self-paced at community.alteryx.com)
  • LinkedIn Learning: SQL for Non-Programmers
  • Microsoft Power BI Guided Learning (free at learn.microsoft.com)
Managers with Operations Background
Analytics depth and operational intelligence
  • IIA CIA Part 2 -- practice of internal auditing
  • Alteryx Designer Advanced Certification
  • LinkedIn Learning: Data Analysis for Operations
  • Coursera: Google Data Analytics Certificate
Managers with Process/Methodology Background
Methodology and systems bridge
  • IASSC Lean Six Sigma Green Belt
  • IIA CISA -- awareness level preparation
  • LinkedIn Learning: Process Mapping and Workflow Design
  • Coursera: IBM Data Analyst Professional Certificate
IT Audit Manager
ERP controls and cybersecurity assurance
  • ISACA CISA -- full certification
  • SAP Certified Associate path relevant to your ERP modules
  • LinkedIn Learning: SAP S/4HANA Fundamentals
  • Coursera: IBM Cybersecurity Analyst Professional Certificate

Advancement Without Titles

In a function with limited title progression, the mechanisms that create career momentum are scope, ownership, visibility, and recognition -- not headcount growth.

Mechanism 1
Expanded scope before the title
Give auditors lead roles on higher-complexity engagements before they hold the title that would normally come with that responsibility. This creates stretch experience, demonstrates readiness for advancement, and signals organizational trust without requiring a formal promotion cycle.
Mechanism 2
Methodology ownership
Assign named ownership of specific methodology components, analytics frameworks, or monitoring routines. Owning something that the whole function relies on creates professional identity, external credibility, and a form of advancement that does not require a title change. It also directly reduces single-point-of-failure risk.
Mechanism 3
External representation
IIA chapter involvement, conference presentations, published frameworks, and peer network participation create credentials that travel beyond the organization. For professionals who cannot advance through title in a flat structure, external visibility is the alternative currency of professional growth.
Mechanism 4
Structured mentoring recognition
More experienced auditors who develop junior staff are providing a function-level service that has direct impact on team capability and retention. Recognizing and compensating that contribution explicitly -- rather than treating it as an informal expectation -- signals that development is valued, not just expected.
The retention research is consistent
SHRM research finds that employees who have access to skill-building opportunities are twice as likely to stay four or more years compared to those who do not. Visible investment in development is one of the strongest retention signals an organization can send -- and in a small audit team, it costs far less than replacing an experienced auditor who leaves for a function that will invest in them. For more on retention levers, see the skills evolution section.

Structure enables everything else.

The wrong structure does not announce its cost clearly. It accumulates -- in slipped timelines, capacity gaps, and a modernization that never quite arrives.