Norman Marks

In this article, Norman Marks reflects on a handful of recent and not-so-recent pieces that, taken together, offer a revealing snapshot of where internal audit is headed and where it may be at risk of losing its way. Drawing on insights from industry leaders, consultants, and former global audit officials, Marks contrasts the profession’s growing ambition around agility, insight, and relevance with an increasingly prescriptive standards environment that threatens creativity, judgment, and imagination. The result is both a cautious critique and a hopeful argument for an internal audit function that stays forward-looking, tailored to the business, and grounded in professional judgment rather than rigid process.

In his latest article, Norman Marks challenges a familiar reflex in internal audit: treating cybersecurity as a standalone auditable domain. Drawing on the IIA’s Cybersecurity Topical Requirement and his own experience as a chief audit executive, Marks makes the case for a more disciplined, risk-based approach—one that looks past controls and frameworks to assess how management actually identifies and manages cyber-related business risk. The result is a practical rethink of how cyber fits into an audit plan, and why auditing “cybersecurity” itself may miss what really matters.

In this article, Norman Marks explores the evolving role of the chief audit executive, moving beyond traditional assurance to actively helping boards and audit committees operate more effectively. With new opportunities emerging through AI and technology, Marks argues that internal audit functions can deliver greater value by enhancing board governance, insight, and performance.

In this article, Norman Marks looks into why so many organizations continue to operate with ineffective risk management programs, even while acknowledging the consequences. Drawing on industry survey data and decades of experience, he explores how boards and CEOs often settle for compliance-driven approaches that fail to support decision-making, and why meaningful change must start at the top.

In a recent article, Norman Marks asks a pointed question that’s becoming increasingly urgent across boardrooms, risk teams, and C-suites alike—are organizations truly leveraging the potential of AI, or are they still circling the runway while competitors take off? Drawing on new insights from Google AI and McKinsey’s latest 2025 survey, Marks explores whether companies are moving fast enough, cautiously enough, or strategically enough to turn AI from hype into real enterprise value, and what it means for practitioners who risk being left behind.

In this article, Norman Marks dives into the evolving concept of continuous assurance, challenging traditional notions of continuous auditing and urging internal auditors to focus less on reviewing the past and more on providing real-time confidence in the future. Drawing on his own experiences as a former Chief Audit Executive and early adopter of continuous auditing techniques, Marks explores how true assurance comes from understanding risk as it changes, engaging with management regularly, and providing insight that helps organizations anticipate, not just detect, issues.

In his latest piece, Norman Marks breaks down a critical gap he continues to see across GRC and ERM programs: the absence of a true top-down, objective-focused approach. While many organizations and software platforms emphasize identifying risks first and then mapping them to objectives, Marks argues that this bottoms-up structure misses what matters most. To understand risk and opportunity in a meaningful way, he explains, organizations must start with their enterprise objectives, strategies, and goals, and then determine what could hinder or enable their achievement.