What is the Future of Internal Auditing?

Key Takeaways

• AI and Internal Auditing: While AI may transform internal auditing, its role will not replace the need for human auditors, who remain crucial for navigating unpredictable changes in business processes and decision-making.
• Focus on the Immediate Future: Internal auditors should prioritize helping organizations adapt to short-term changes, focusing on immediate risks and uncertainty rather than making long-term predictions about the next decade.
• Uncertainty and Risk Management: Given the unpredictable nature of global trade, economic conditions, and technology adoption, internal auditors must support management in navigating these uncertainties, providing assurance and advisory services.
• Agility and Adaptability: Organizations and their internal audit functions must remain agile and responsive to constant change, ensuring that internal controls, risk assessments, and business processes are regularly updated to address emerging risks.
• Proactive Involvement: Internal auditors must move beyond traditional assurance roles, actively engaging with management on strategic decisions, regulatory changes, and major projects to provide value as trusted advisors.

Deep Dive

In this piece, Norman Marks addresses the evolving role of internal auditing in the face of rapid technological advancements, shifting business dynamics, and emerging risks. He challenges the profession to adapt, offering a pragmatic perspective on what auditors need to focus on today to remain valuable in the future.

The Evolving Role of Internal Auditing in Uncertain Times

My good friend, Tom McLeod, has been called “one of the deepest thinkers in our profession.” This is an apt description of this experienced and innovative Chief Audit Executive (CAE), who is never content with accepting traditional, in-the-box thinking. He shared two recent LinkedIn posts on the topic of the future of internal auditing and the Institute of Internal Auditors (IIA) as our professional association:

• Will the IIA Survive AI?
• Rebooting the IIA

Another friend, Todd Davies, picked up on Tom’s writings in Institutionalised. These three articles are worth reading. They point to a major shift in internal audit practices over the next few years.

I’ve seen several people predicting that, with AI, the need for internal auditing may even disappear! They believe AI will be the internal auditor! That’s quite dramatic. I’m not (yet) there. The future is too unpredictable. As I shared with friends, including Tom and Todd, how likely is it that AI adoption in business processes, product development, manufacturing, operations, and decision-making will be free from error?

I believe we have an immensely valuable role for the foreseeable future—but only if we make the necessary changes. Continuing to audit as if nothing has changed (or is changing) doesn’t make sense. Everything is changing, and:

• The greatest risk is where there is change.
• The change is happening around us right now.

We need to be there, with management, providing advisory services as they navigate the chaos to an uncertain future.

The IIA is in a totally different space, although in Internal Audit: Vision 2035—Creating Our Future Together, they share some insights with which I agree, "In the coming decade, the internal audit profession will undergo a major transformation driven by accelerating technological advancements, significant disruptive trends, and emerging risks."

This transformation will be characterized by changes in how organizations operate... But at that point, our opinions diverge dramatically! It’s not about “the coming decade”! It’s about today and tomorrow!

Looking ahead ten years with any sense of certainty makes little sense to me. Can we predict with any confidence what our organizations will look like in ten months, let alone ten years? Are we sure our organizations will survive and thrive to such an extent that 2035 is a relevant topic?

Changing the IIA statement slightly, "In the coming decade, pretty much every organization will undergo a major transformation driven by accelerating technological advancements, significant disruptive trends, and emerging risks."

I don’t think I’ve ever seen as much turbulence or uncertainty about what will happen as I see today—and it is likely to continue for at least the next two, if not four, years or more. In fact, our organization’s future is highly uncertain!

Our priority is not ourselves in these times. It’s not about whether we should use AI to test 100% of the data in an assurance engagement. Our priority must be to help our organizations survive 2025, then 2026, and so on, and get to 2035 as a healthy and thriving company.

I will worry about 2035 later. I have too much to worry about now.

Let me address a few of the many uncertainties

The Impact of Tariffs

This week, I heard a segment on NPR where the co-owner of a rye whiskey distillery in Virginia was talking about the multiple effects of the new tariffs he is already seeing. One is that sales through a distributor in Mexico have dried up. Even though there are no tariffs on Mexico right now, there is too much uncertainty about possible future tariffs.

When you see a significant drop in sales, it impacts not only revenue but everything you need to support it—especially since you need to make the rye whiskey now for sale as an aged product in several years. Will that drop be short-lived or longer term? Will the Federal elections in two years result in a Democratic-dominated Congress that reverses course?

Will this government change direction and make most, if not all, tariffs disappear? Will challenges in the courts succeed? If it’s longer term, even permanent, serious strategic decisions must be made.

The other effect he mentioned is the supply of glass bottles needed for the whiskey. The company usually purchases bottles from a supplier in Pennsylvania, but the deliveries have been delayed for several months, and he thinks they will be delayed again. Other companies have shifted from purchasing glass bottles overseas to U.S. companies, including his supplier, to avoid the tariffs. His company is smaller, and the supplier is giving preference to the larger orders.

He’s even considering purchasing bottles from China (!!!!!) and paying the massive 107% tariffs because he has no choice. Putting premium whiskey in cardboard boxes like those used for wine? Not likely.

We simply don’t know (nor does anyone else) what will happen with tariffs. We don’t yet know whether our companies will have to shift manufacturing to other geographies. In fact, some companies are reportedly moving manufacturing out of the U.S. to avoid tariffs when they export to other nations!

If other companies bring manufacturing into the U.S., that will probably increase demand for skilled labor and other employees, making hiring and retention harder and increasing costs. All of this means we can’t really predict how it will affect our business tomorrow and next month, let alone in ten months or ten years.

What we can do is assess whether management is handling the tariff uncertainty well. That’s almost a daily challenge for them now. We can provide assurance, advice, and insight on the identification, analysis, evaluation, and treatment of related risks. Are the right people involved? Do they have reliable information? Are they staying current as things change? And so on.

If they are shifting manufacturing, that’s a major project, and we should get involved as trusted advisors.

The Economy

Similarly, there is great uncertainty about the health of the U.S. and world economies. Will there be a recession or worse? How will that affect demand for our company’s products and services? Will all our customers survive? How will their businesses be affected? How will it affect our suppliers, supply chain, and other service providers?

Is our company’s leadership planning for the various scenarios? Is that a reliable process, and can we help?

Technology and Business Processes

Everyone is predicting massive changes, and our companies have almost certainly started that journey. But what is the risk that they will get something wrong? Are they adopting AI, for example, in a strategic and coordinated way across the extended enterprise? The IIA suggests we should audit AI governance. Yes, but let’s not forget to audit major AI projects as well.

Are they effectively identifying, analyzing, evaluating, and addressing related risks? Are executives using AI not only in regular business processes but in strategic decision-making? Is that use reliable? Are they making the right changes to business processes and controls?

We need to be there.

People

As a naturalized U.S. citizen with dual nationality (UK), married to a Singaporean with a Green Card (a permanent resident), I am concerned about reports of other naturalized citizens being asked to self-deport (presumably a mistake by the Department of Homeland Security) and Green Card holders being informed that their status is being revoked.

I have advised my foreign-born friends (and those who appear foreign-born) to carry proof of their legal status. I’ve heard that some people are leaving rather than staying, especially those who know that if they travel internationally, they will be closely questioned upon return. Reports suggest that if you have even a misdemeanor on your record (or a charge without a conviction), you may be deported.

Think about the companies that employ people who are here legally but may find their employees detained by ICE or DHS. I would be asking whether my company’s management team has thought about the possibility of losing valuable employees.

If key employees are detained, how will their work be covered? Are they prepared to help? Are they doing enough to maintain employee morale? Is there a risk if the federal government inspects their hiring practices?

Technology, Products, and Services

In the same way that new technology is changing business processes and decision-making, companies are embedding it into their products and services—and the equipment they use to manufacture them. Will they be able to maintain product quality as technology advances even further? Are related risks being addressed?

Regulations

Usually, we are only concerned with new regulations. That is only part of the crazy, modern-art picture we see today. Which regulations are being or will be canceled by the Federal government? Will this affect state and local regulations and laws? Which regulations and laws will remain on the books but not be enforced?

Which regulations and laws will be re-interpreted by federal agencies and maybe the courts? How should our company respond to real and potential change? Do we take advantage of relaxed regulations and risk that they will be reimposed in two years—or sooner if the change is canceled by the courts?

Is it prepared to do so? Is management monitoring the regulatory environment? Does it understand the related risks? Internal audit can ask these questions and provide assurance to top management and the board in an area we rarely tread. But we have to be more continually involved, as a single point-in-time audit may not be sufficient.

Risk Management and More

Are our risk management processes and practices, including cyber and other risks, up to the task? Internal audit can assess those practices (see my book) and how they are adapting to the new reality.

Internal Audit

Will we have the people, attitude, intellect, experience, imagination, and courage to make a difference?

So, what do we do? What we don’t do is try to develop a multi-year strategic plan. That’s like planning how you will spend the afternoon in a village over the hill (that you can’t see) when there’s a minefield in the way.

Get there first!

Let me put it another way. As a young child living in London, I can remember walking home from school through a pea-souper fog. I couldn’t see beyond my outstretched arms—it was that bad. So what did I do? I walked very slowly, one step at a time. I couldn’t rely very well on my eyes, so I also made sure to listen. I didn’t want to walk into someone else or get hit by a bus. (I saw a bus take a turn too sharply and cross the sidewalk not far from where I was standing.) I still walked into a lamppost. My nose is an inch shorter now. (Joke.)

My focus was on the immediate future, and I think internal auditors should be focused on that too. That immediate future includes what management is not only doing right now but is currently planning to do next week, month, and year.

Are their planning processes sufficiently agile? What technology are they deploying, and is it reliable? Consider both business processes and products/services. What processes are they changing? Will they be able to change again as things change yet again?

Will internal controls be adequate to address risks? Will risks be effectively identified, analyzed, assessed, and addressed? Are decision-making processes sound? How are they addressing and monitoring changes in the business environment?

What’s happening with the board and its committees? Are they informed and able to act as needed? What’s happening with external communications to shareholders, regulators, bankers, customers, vendors, etc.? How are employees being treated?

As the company starts to deploy, I would be looking to see if my team can use the same technology ourselves. I wouldn’t want to pick a different AI if at all possible. But my #1, #2, and #3 priorities will be to help management and the board get to that village on the other side of the hill.

My audit engagements will focus on the change and potential change happening today and tomorrow. I won’t perform many traditional audit engagements of traditional audit areas where there is little change.

As I said, I will worry about 2035 later. I have too much to worry about now. Poor management and board decisions now might affect the company’s ability to get to 2035 as a healthy and thriving organization!

What do you think?

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.