What Is in the Future for Internal Auditing?

Key Takeaways

• Audit Must Evolve with the Business: Internal audit risks becoming obsolete if it fails to adapt to rapidly changing business processes driven by AI and automation.
• Understanding the “Why” Comes First: Before adopting AI tools, audit functions need to reassess their core purpose and what assurance will look like in an AI-driven environment.
• Change Introduces the Greatest Risk: Workforce reductions, automation, and shifting processes are creating new and often unaddressed risk exposures that auditors must anticipate.
• Proactive Engagement Is Critical: Internal audit should be embedded in strategic discussions and transformation initiatives rather than reacting after failures occur.
• Future Readiness Requires Continuous Learning: Audit teams must continuously rethink skills, tools, and approaches to remain relevant as technology and business models evolve.

Deep Dive

In this article, Norman Marks explores what the future holds for internal auditing as AI, automation, and rapidly evolving business processes begin to reshape the very foundations of risk and control. Drawing on a real-world anecdote, he challenges auditors to rethink not just their tools, but their purpose, urging the profession to move beyond incremental change and confront the deeper question of what meaningful assurance looks like in a world where the rules are being rewritten in real time.

Internal Audit at a Crossroads as AI Reshapes Risk and Assurance

Let me start with a real-life story.

The CFO of Solectron, Kiran Patel, held an all-Finance meeting in one of our manufacturing plants in Milpitas, California. At the end of the meeting, a lady who had been with the company for many years approached him. She asked whether Kiran found the report she sent him every month useful. He didn’t understand. He couldn’t think of a report he got from her every month. So he asked her what it was about and where she sent it.

The answer was astonishing. It was a report on a part of the business that was dormant, and she was sending it to the email address of a former CFO. The business had moved on. She had not.

That is the danger for internal audit. Technology, including AI and robotics, is in the process of reshaping the world – and that includes our world: the one in which we live and work.

In the same way that business and their processes are evolving, internal audit needs to evolve. Auditors also need to evolve – in line with the business.

I am not talking about internal audit learning to use AI. No. We should do that, but first we need to know why we are even here. We exist to provide assurance on management’ processes and controls.

Those processes and controls are in the early stages (some are more advanced than others) of a radical evolution. Experts have said that the AI-fueled revolution is going to bring more radical change than the Industrial Revolution!

Will our tried-and-true methods and approaches, even with the assistance of our own AI, meet the needs for assurance on AI and robotic processes and controls? Think not only of Finance, but manufacturing, sales, customer support, security, systems development and maintenance, and more.

I don’t know. I doubt it.

We need to know what we will have to provide assurance on first. Some are already saying that we need to embrace AI. Fine. That’s part of the answer. A small answer. But I am reminded of the man (has to be a man, doesn’t it) who checked all the reviews and bought the best hammer in the world. Then he looked for the nails, but all he found were screws.

Should we put a lot of energy and resources into building AI-enabled audit platforms and tools that are designed for today when tomorrow and the day after will be radically different? We need a plan that will evolve as our company evolves.

If the company has a clear road map that can be relied upon, get and study it. That’s a great start. But I expect that their vision is limited and blurry.

We must start thinking now about what will be needed from us in each stage of the company’s evolution. Do it today, do not wait for tomorrow.

We are already seeing companies letting many people go. While they say it’s because their work is being replaced by AI, some experts say it’s because they are spending so much money on AI development that they have to slash other costs—and that means people.

When people leave, risks may emerge and controls disappear or fail to be performed. New controls will be needed,

Now

The greatest risks are where there is change. So what has changed over the last year, what is changing now in the business, and what is about to change?

What has management changed? What are they about to change?

What is management’s roadmap? Who will be replaced by what?

Find out. Which controls will be affected by the loss of personnel? How are the risks they cover being addressed?

What are the new or changed risks of today, and what about tomorrow and the day after?

Are their objectives SMART?

Have they done enough to identify and address the risks?

We need to be involved. Don’t stand on the sidelines so you can bayonet the wounded after new technologies and processes fail.

Does the board have all the information they need?

Do we have the resources to help management do all of this right? If not, change now and don’t wait until it’s too late and all the AI-savvy people have been hired by somebody else.

For example, do you have the ability to audit how robots are picking and shipping products to fulfil sales? Do you have the talents on your team to assess the controls over an AI that that will perform journal entries? How about the related ITGC when the AI’s code is written and tested by another AI?

Next

Monitor progress. Step in to help when there are problems. You may not be able to personally fix problems, but you can help management understand them and take the best actions.

Monitor change, preferably before it happens. Be at the table when management is talking about what they plan to do next, what they plan for 2027 and beyond.

Continue to audit proactively. Don’t forget to perform traditional audits when the risk and value justify them. Don’t audit processes that are about to be totally replaced where your assessments and ideas for improvement will be meaningless.

Future Vision

Learn continuously what you will need to audit and how you will need to audit.

Once you know whether it’s a nail, a screw, a laser beam, or a circuit diagram in a robot, redesign your audit team and tools to work on them. At least for a while, the best tool we have and will need is between our ears.

Oberve, listen, think, and listen some more. Share your insights with management.

Help them and the company succeed. The possibility of failure is very high.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.