77 officer roles, all coveredArt. 33 GDPR, 72 hours to report a breach93 controls under ISO/IEC 27001:2022905 ready-to-run audit templates in the workspace§ 130 OWiG, supervisory duty of the management boardOfficer appointment letter, signed, filed, evidencedOne workspace for tasks, trainings, audits, documentationDIN 14095 fire protection plans, standardisedEU AI Act, the first horizontal AI regulation worldwide77 officer roles, all coveredArt. 33 GDPR, 72 hours to report a breach93 controls under ISO/IEC 27001:2022905 ready-to-run audit templates in the workspace§ 130 OWiG, supervisory duty of the management boardOfficer appointment letter, signed, filed, evidencedOne workspace for tasks, trainings, audits, documentationDIN 14095 fire protection plans, standardisedEU AI Act, the first horizontal AI regulation worldwide
civac.
ENDE
Get started
All officer roles
AUD

Internal Audit Officer

Independent, risk-based assurance over governance, risk and control processes. Annual audit planning, field work, findings tracking, and reporting to the management board in line with MaRisk BT 2 and IIA standards.

Focus areas
Audit planMaRisk BT 2Findings trackingAssurance
Legal basis

§ 25a KWG · MaRisk BT 2 · IIA Standards (IPPF)

Quick contact

Talk to us about Internal Audit Officer

Three lines and you are in our inbox. We reply within one business day.

By sending you agree to our privacy notice. We use the data only to reply to you.

What does an Internal Audit Officer do?

An Internal Audit Officer leads an independent, risk-based assurance function that examines whether an organisation's governance, risk management and internal controls work as intended. In regulated financial institutions the function is mandated by the requirement for a proper business organisation under Sec. 25a of the German Banking Act (Kreditwesengesetz, KWG) and shaped in detail by the Minimum Requirements for Risk Management (MaRisk), specifically module BT 2 on the internal audit function (Interne Revision). Internationally the work follows the standards of the Institute of Internal Auditors set out in the International Professional Practices Framework (IIA Standards, IPPF).

The officer prepares a multi-year and annual audit plan that allocates audit effort according to the institution's risk profile, as MaRisk BT 2 requires, and ensures that all material activities and processes are audited within an appropriate cycle. They lead the fieldwork: examining processes, testing controls, gathering evidence and forming an objective judgement. Findings are documented with an agreed severity, a responsible owner and a remediation deadline, and the officer tracks them through to closure.

Independence and objectivity are central: the function reports directly to the management board, has unrestricted information and audit rights, and must be free of conflicts that would impair its judgement, as both MaRisk BT 2 and the IIA Standards demand. The officer reports findings and the overall control assessment to the board and, where required, to the supervisory authority, and follows up on the implementation of measures. The aim is reliable, documented assurance that lets management and supervisors rely on the institution's control environment.

Core duties of the Internal Audit Officer

  • Prepare a risk-based multi-year and annual audit plan as required by MaRisk BT 2.
  • Ensure all material activities and processes are audited within an appropriate cycle.
  • Lead fieldwork: examine processes, test controls and gather sufficient, reliable evidence.
  • Document findings with severity, responsible owner and remediation deadline.
  • Track findings through to closure and verify that agreed measures are effective.
  • Report findings and the overall control assessment to the management board.
  • Maintain independence and objectivity as required by MaRisk BT 2 and the IIA Standards.
  • Carry out special and ad-hoc audits at the request of the board or supervisory authority.
  • Operate a quality assurance and improvement programme for the audit function per the IIA Standards.
  • Report to the supervisory authority where required and support external audit and inspections.

When is an Internal Audit function required?

For credit institutions and financial services institutions, an internal audit function is a mandatory element of the proper business organisation demanded by Sec. 25a (1) KWG, and MaRisk BT 2 specifies how it must be set up: as a process-independent function reporting directly to the management board, with unrestricted audit and information rights and a risk-based plan covering all activities and processes. The board carries overall responsibility but must equip the function with adequate resources and staff with the necessary expertise.

The head of internal audit must be qualified and the function staffed so that it can audit all material areas within an appropriate multi-year cycle. The IIA Standards add professional requirements such as independence, objectivity, due professional care and an external quality assessment at defined intervals. Outside the banking sector, comparable requirements apply to insurers and to investment firms under their own supervisory regimes, and many large or listed companies maintain an internal audit function as part of good corporate governance even without a sector mandate. The appointment, mandate and reporting lines should be documented in an audit charter approved by the board.

  • Credit or financial services institution under Sec. 25a KWG
  • Internal audit requirements of MaRisk BT 2
  • Comparable supervisory regimes for insurers and investment firms
  • Adoption of the IIA Standards (IPPF) as the professional framework
  • External quality assessment obligation under the IIA Standards
  • Corporate governance expectation in large or listed companies

Sectors that appoint an Internal Audit Officer

  • Banks and credit institutions
  • Financial services and investment firms
  • Insurance companies
  • Asset and fund management
  • Payment and e-money institutions
  • Listed corporations
  • Public-sector bodies and utilities
  • Large industrial groups
  • Healthcare and pension organisations
CIVAC

How CIVAC supports the Internal Audit Officer role

CIVAC gives the Internal Audit Officer a workspace to run the audit cycle and prove independence. Task templates cover the recurring rhythm of plan preparation, fieldwork milestones, findings follow-up and board reporting, each with a reminder before the due date. The documentation area holds the audit charter, audit plan, working papers, findings and the quality assurance programme required by the IIA Standards. The audit trail records when each finding was raised, who owns it and when it was closed, which evidences the findings-tracking discipline MaRisk BT 2 expects. The training library keeps auditors current on standards and methods. EU data residency keeps sensitive audit records inside the EU, supporting the confidentiality the function relies on.

Frequently asked questions

Need this officer role for your organisation?

Appoint our experts as your external officer or license CIVAC for your in-house team. Get in touch and we walk you through the right setup.

Talk to CIVACSee all 77 roles
Other officer roles