TSA internal audit stand-up builds the carved-out entity's own assurance over its controls before Day One. The seller's central internal audit function disappears at separation, exactly when new, untested processes make controls most fragile. This is a core control workstream, which places it inside day one readiness. Without it, the new owner has no independent check that the controls it depends on are actually working.
Internal audit is the independent function that checks whether a company's controls are designed well and actually operating. In a large group it sits centrally, the seller's internal audit team plans its work across the whole organisation, and any given business unit was simply one of the entities it covered. The carved-out business never had to run its own assurance, because the parent provided it, and that quiet dependence is easy to miss in the noise of a separation focused on systems and people.
On separation that coverage ends. The standalone entity loses access to the seller's internal audit function the way it loses any other shared service, and unlike a payroll system the absence does not announce itself with a failed run. Nothing breaks visibly on Day One if internal audit is missing; what breaks is the assurance, and the gap only shows up when a control that everyone assumed was working turns out not to be, often months later and after a loss.
So the buyer plans the assurance function as deliberately as any other separated capability. The form can be lean for a small standalone entity and fuller for a larger one, but the principle holds: someone independent has to be checking that the controls the new owner relies on are real. Treating internal audit as optional in the early standalone period is a quiet way of running without a safety net at the exact moment the ground is least stable.
A carve-out is the moment a control environment is most exposed. Processes that ran smoothly inside the group are being rebuilt on standalone systems, new people are stepping into roles, and the segregation of duties that the parent's larger organisation provided gets thinner in a smaller standalone entity. Each of those changes is a chance for a control to weaken, and they are all happening at once, which is precisely the condition under which errors and fraud tend to slip through.
The removal of central oversight compounds it. Inside the group, a layer of corporate controls, central approvals, and group policies sat over the business and caught things the unit itself might have missed. After separation that layer is gone, and the standalone entity has to provide its own. A new payment process with a new team and no independent check over it is a classic place for a control gap to live undetected, which is exactly the kind of thing internal audit exists to find.
This is why the buyer wants assurance early rather than once the dust settles. The early standalone months are when a real check on the key controls has the most value, because that is when they are newest and least proven. Waiting until the function is fully built before doing any assurance means the highest risk period passes with no independent eyes on it at all.
The first build decision is the operating model. Few standalone carve-outs hire a full internal audit department on Day One, and most do not need to. An outsourced or shared service arrangement gives immediate coverage and specialist skills without a long hiring cycle, which fits the early standalone period well. As the entity matures the owner can bring more capability in, but starting with external delivery means assurance is available from the first months rather than waiting on recruitment.
Next is the audit plan, and it has to be risk based rather than a generic checklist. The buyer points the early work at where the separation has created the most exposure: the new financial close, the standalone payment controls, access to the new systems, and any process that changed hands or lost a layer of oversight at carve-out. A plan that spends its limited early capacity on the highest risk processes is worth far more than one that tries to cover everything thinly.
Then the reporting line. Internal audit only works if it is independent of the people running the processes it checks, so the buyer establishes a clear line to the board or audit committee from the start. In a private equity owned entity this often runs to the owner's value creation or finance leadership, and getting that line right early is what keeps the function from quietly becoming an extension of management rather than an independent check on it.
The early audit work earns its place by confirming the controls the new owner is leaning on actually hold. The standalone payment process is near the top: who can create a payment, who approves it, and whether the limits and segregation are real rather than theoretical, because a weak payment control is where money leaves the business. Right alongside it is the financial close, where a new ledger and a new team produce the numbers the owner is steering by, and where an unchecked error can quietly distort the picture.
Access and authority round out the early focus. A separation hands out new system access, new approval rights, and new responsibilities quickly, and it is common for access to end up broader than intended in the rush to get people working. An early review of who can do what in the new systems catches the access that was granted for go live and never tightened, which is both a control risk and a frequent audit finding in the first standalone year.
The point is not volume but evidence. A handful of focused reviews that genuinely test the highest risk controls give the owner real assurance, while a long list of shallow checks gives a false sense of coverage. Confirming the critical controls are operating is part of proving the entity is properly stood up, which is the standard the Day One Readiness program holds every separated function to.
The function proves itself by giving the owner findings it can act on, not a clean report that misses the real gaps. Early internal audit work in a carve-out should surface the controls that did not survive separation intact, name them plainly, and track them to fixes. An assurance function that reports comfort while the standalone payment control is actually weak is worse than none, because it lets the owner believe a problem is covered when it is not.
It also has to mature past the first sprint. The lean co-source that gives coverage on Day One is a start, and the buyer plans how the function grows as the entity settles, how the audit plan widens beyond the separation risks, and when internal capability is added. An assurance function frozen at its Day One minimum slowly falls behind a growing business, so the build plan looks past launch to the steady state the owner ultimately wants.
Internal audit stand-up rewards the buyer that refuses to treat assurance as a luxury for later. Choosing a lean operating model, pointing a risk based plan at the separation exposures, setting an independent reporting line, and acting on real findings gives the new owner eyes on the controls during the months they are most fragile. Treating internal audit as something to build once everything else is settled leaves the riskiest period of the entity's life with no independent check at all.
It is building the standalone entity's own assurance over its controls: a risk based audit plan, the people or co-source arrangement to deliver it, and a reporting line to the board or audit committee. Inside the group this was provided centrally by the seller's internal audit function, which the entity loses on separation.
It needs the assurance, even if the formal function is built over the first months. Day One is when controls are most fragile, because processes are new and people are settling in, so someone has to confirm the key financial and operational controls are actually working. The form can be lean, but the assurance cannot wait.
Many standalone entities start with an outsourced or shared service model and build internal capability over time. An outsourced model gives immediate coverage and specialist skills without a long hiring cycle, which suits the early standalone period. The right answer depends on the entity's size, risk profile, and the owner's requirements.
Closely. Separation creates new, untested processes and removes layers of central oversight, so the control environment is weaker exactly when it is changing fastest. Internal audit is the function that checks those new controls hold, which makes its stand-up part of proving the entity is genuinely day-one ready.
The payment controls an early audit should pressure test.
Read the article →A separation risk worth confirming actually closed.
Read the article →The new close an early audit should look hardest at.
Read the article →The 90-day governance, IT, finance, HR and procurement separation plan we run on live carve-outs. Get the playbook plus the bi-weekly Day One Letter — short, signal-heavy, buyer-side.
No spam. Unsubscribe in one click. · Read the overview first →

Fixed-fee proposal in 48 hours. Senior team on day one. The first conversation is always free.
Seven buyer-side moves to exit a Transition Services Agreement on time and below budget. The mark-up, the extension-fee curve, exit sequencing, and the 11-month calendar.
One tactic, one benchmark, or one pattern from a recent buyer-side engagement. Short. Signal heavy. Free.
Subscribe to The Day One Letter →