Aerial view of a circular garden maze and green pavilion

Why internal control operating models matter more than ever

Portrait of Juuso Saarnikko
Juuso Saarnikko

Director, Risk Consulting, Nordics Risk Managed Services and Internal Audit Leader, EY Finland

07 May 2026

Rising risk, regulatory and digital transformation reshape internal controls, requiring organizations to rethink how controls are delivered.

In brief
  • Strong governance remains a Nordic hallmark, but growing risk and regulation demand more scalable internal control delivery.     
  • Modern operating models are replacing people-dependent processes with standardized, insight-driven execution.
  • The result is increase in resilience, compliance, predictable cost and better support for business confidence.

Internal controls form the backbone of trust in financial reporting, operational resilience and regulatory compliance. At their core, they are the policies, processes and activities that help organizations manage risk, safeguard assets and ensure reliable reporting. For many large, listed organizations, this includes compliance with the Sarbanes‑Oxley Act (SOX), which sets rigorous expectations for internal controls over financial reporting (ICFR). Yet robust, modern and technology-enabled internal controls are equally important beyond SOX - supporting establishment of effective compliance, operational integrity and confidence among key stakeholders, such as the Board of Directors, their Audit Committee and the C-suite across a wide range of organizations and shifting from static backward-looking controls testing to a continuous steering mechanism, with actionable data insights.

A changing risk landscape

Nordic companies are navigating increasing regulatory complexity, accelerated digital transformation and heightened expectations from boards, regulators and auditors. At the same time, many internal control environments still rely on manual, fragmented processes and a small number of key individuals. This combination often leads to rising effort and cost to maintain compliance, limited transparency into control performance, and challenges in scaling controls consistently as the business evolves. 

What we see across the Nordic market is not a lack of commitment to strong internal controls, but a lack of capacity and ability to invest and keep up with the pace of requirements set for modern internal control execution and monitoring. Organizations are trying to manage rising expectations with operating models that were not built for today’s pace of change.

Juuso Saarnikko

Director, Risk Consulting, Nordics Risk Managed Services and Internal Audit Leader, EY Finland

Related article

When the world shifts overnight, can you operate at the speed of trust?

Risk operating models must become strategy-first, trigger-based and governance-forward. Learn how Risk Strategists are leading the way.

Scott McCowan + 2

    A shift toward managed operating models

    To address these challenges, many organizations are re‑evaluating how internal controls are delivered. Managed services models move internal controls away from people‑dependent, periodic activities and into standardized, scalable and technology‑enabled operating models. Key benefits include:

    • Consistent control execution across business units and geographies
    • Improved risk mitigation and audit readiness 
    • Better visibility into performance, associated effort and emerging risks
    • Optimized and predictability of cost-to-control
    • Reduced dependency on key individuals

    This approach is relevant for both SOX‑regulated and non‑SOX organizations looking to modernize their internal control governance environment.

     

    EY Internal Controls Operate Managed Service

    EY Internal Controls Operate Managed Service has been designed to support the full internal controls lifecycle: from execution and monitoring to independent assurance and continuous improvement. By combining standardized processes, centralized delivery and AI‑enabled testing, organizations can reduce manual effort, eliminate duplicate or low‑value controls, and improve transparency into effort, performance and outcomes.

     

    Technology as an enabler

    AI‑supported tooling helps automate routine testing steps, dynamically capture and tag evidence and direct attention toward the most impactful risks. The result is:

    • Faster insight
    • Stronger, audit‑ready operations
    • Broader risk coverage
    • Improved control quality
    • Lower cost to operate internal controls

    Finally, operating internal controls as a managed service helps enable organizations to free internal capacity for higher‑value activities such as control design, remediation, root‑cause analysis and managing emerging risks. Such models let also companies benefit and utilize the technology and AI investments of the service provider. In a Nordic context, where talent availability, cost discipline and strong governance all matter, this approach is less about outsourcing and more about building a resilient, efficient and future‑ready internal controls environment that supports both compliance and business confidence. 

     

    How EY teams can help

    • Assessing current internal control maturity
    • Designing target operating models for Internal Controls
    • Outline the prerequisites and the 'case-for-change
    • Transitioning to managed services operating models
    • Operating a managed service through the EY proprietary EY.ai for Risk: Internal Controls AI technologies helping enable testing and control automation 
    • Strengthening enterprise‑wide risk and compliance capabilities

    Local contact: Dorjan Mehmeti, Partner, tel: +45 6155 9800, EY Denmark

    Summary 

    For Nordic businesses, rising regulatory pressure, digital risk and cost volatility are exposing the limits of traditional internal control models. Managed services provide a more resilient alternative — standardizing execution, embedding technology and providing continuous assurance at predictable cost. By operating internal controls as a managed service, organizations strengthen governance, improve audit readiness and gain clearer risk insight, while freeing scarce internal experience to focus on emerging risks and strategic resilience.

    About this article

    Portrait of Juuso Saarnikko
    Juuso Saarnikko
    Director, Risk Consulting, Nordics Risk Managed Services and Internal Audit Leader, EY Finland
    Experienced risk management and internal audit leader with 15 years of experience from the field.
    Related topics
    Managed services
    Risk

    How EY can help

    • Risk Managed Services

      Risk Managed Services reimagines your risk function from defensive tool to strategic enabler, giving leaders the confidence to accelerate transformation.

      Read more

    •  Enterprise Resilience

      The EY Enterprise Resilience solution helps organizations navigate disruption with agility — reducing risk and driving long-term value. Learn more.

      Read more

    EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.