Some Internal Audit Wisdom

Key Takeaways

• Internal Audit Is Evolving Faster Than Risk Management: Internal audit is making meaningful progress toward relevance and insight, while risk management continues to lag behind.
• Static Audit Plans No Longer Work: Continuous monitoring of business changes and emerging risks is essential, as even quarterly updates may be too slow.
• One-Size-Fits-All Audit Models Fall Short: Effective internal audit programs must be tailored to the organization’s maturity, strategy, and risk profile.
• Judgment and Creativity Are Being Squeezed Out: Increasingly prescriptive standards risk reducing internal audit to checklist-driven, algorithmic work.
• The Future of Audit Depends on Agility and Insight: Forward-looking assurance, professional judgment, and adaptability matter more than rigid compliance with prescribed methodologies.

Deep Dive

In this article, Norman Marks reflects on a handful of recent and not-so-recent pieces that, taken together, offer a revealing snapshot of where internal audit is headed and where it may be at risk of losing its way. Drawing on insights from industry leaders, consultants, and former global audit officials, Marks contrasts the profession’s growing ambition around agility, insight, and relevance with an increasingly prescriptive standards environment that threatens creativity, judgment, and imagination. The result is both a cautious critique and a hopeful argument for an internal audit function that stays forward-looking, tailored to the business, and grounded in professional judgment rather than rigid process.

Some Internal Audit Wisdom on Agility, Judgment, and the Future of the Profession

I am an optimist in life and in internal auditing. I am less of an optimist when it comes to risk management, as I don’t see the same level of progress as I do when it comes to internal auditing.

Three articles caught my eye this week, so I am interrupting my planned series on politics to share them. I hope you find wisdom in them and hope for our profession.

The first is a piece published in the Wall Street Journal’s Risk and Compliance Journal: Pinterest Audit Chief: Seeing Around Corners to Protect, Support Business. The “Audit Chief” is Ram Vijayanathan.

“Operating in a high growth industry accelerates the pace of innovation and change,” says Vijayanathan. “The challenge that my team and I have is to ensure we are tackling the most important risks to the organization by providing valuable and timely assurance.”

This means regular and proactive conversations with a wide range of stakeholders across the business, as opposed to the scheduled quarterly touchpoints that may be more common in decades-old companies operating in more established sectors.

In other words, monitor what is happening with the business, its environment, and its risks. Use that information to continuously update the audit plan. Even a quarterly update may be too slow to ensure you are auditing what matters now and in the future.

We hear additional wisdom from Robyn Mihin, a Deloitte & Touche principal:

“What is often underappreciated is that, while the principles and intent of internal audit and enterprise risk management are almost universal across organizations, the way in which a program is designed and implemented needs to be tailored to the specific organization.”

Vijayanathan is quoted as saying:

What I have always done is cater our deliverables to meet the needs of the organization, which sometimes takes us down a path of operating in an advisory capacity until such time the company achieves maturity and consistency.

The committee is looking for my team to provide assurance over the key company risks and strategies. It is very focused on things that could hinder the company’s ability to grow, sustain, and build our business. The insights we give the committee through our audit reports help them hold management accountable by, for example, offering insight into how leaders are managing various company risks.

I also see a world in which, instead of doing an audit “cold,” the team is continuously collecting data that gives us insights, almost pointing us to where we should be focusing our audits.

The second piece is from the consultancy firm, SIA: Financial Risk Management Internal Audit: Assurance to Strategic Intelligence.

…the role of Internal Audit is undergoing a fundamental transformation. No longer confined to retrospective compliance testing, Internal Audit has become a strategic function by delivering insight, foresight, and assurance across financial, operational, and technological risk domains.

audit teams are now expected to provide continuous, forward-looking insight that informs executive decision-making and strengthens enterprise resilience.

[We should be] Shifting audit plansfrom static annual schedules to agile assurance and insight roadmaps

That leaves me with an admittedly older piece (2024) from Risk Oversight: Exclusive Interview: Dr. David J. O’Regan, Auditor General, World Health Organization (Americas Region). It takes a while for the article to get to content that I find interesting:

In my opinion, I see an alarming decline in the space for internal auditors to exercise their creativity, judgment, and moral agency.

Look for example at the IIA’s revised standards — they claim to be principles-based, but such claims are disingenuous. The 15 principles in the new standards serve solely as headings, and the standards themselves are prescriptive. This prescriptiveness is squeezing our individual judgment.

Collectively, in my view, we as internal auditors are increasingly filling out checklists and undertaking algorithmic auditing. This clockwork approach to internal auditing increases the dangers of our profession being taken over by Artificial Intelligence (AI) and other forms of machine processing.

I celebrate his emphasis on creativity and judgment, to which I would add imagination. Stir in Mihin’s comment that internal audit needs to be tailored to the needs (today and tomorrow) of the business, and SIA’s focus on agile assurance, and you are talking my language.

O’Regan appears to be a pessimist, and unfortunately there is cause as the IIA continues to pump out Topical Requirements in a drive for consistency when agility and flexibility are required. But I see change, and progressive change at that. In time, I hope that leaders of the IIA will catch up.

We need to deliver the valuable forward-looking assurance, insight, and advice our organization’s leaders need for success —not documentation that proves we complied with a proscribed audit approach.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.