Internal Audit Is Changing. What’s Your Game Plan for Keeping Up?

I recently met with the CAE of a prominent Fortune 500 company. His Audit Committee Chair had asked him point-blank: “What is Internal Audit going to look like in 2030?”, asking him to present his response to the committee. He hoped I could provide some perspective. 

That question — what will Internal Audit look like in 2030? — felt like a tipping point. 

Because I realized: I have answers.

It’s been nine months since the Internal Audit Collective went live. In all the conversations I’ve been privy to — my one-on-ones with leaders, the community events and trainings I participate in, and on our message boards — I’ve observed some striking trends.

That’s what I’m sharing today: How I see Internal Audit changing based on my conversations with 700+ high-performing Internal Audit leaders.

During my December 11 webinar, “The Next Era of Internal Audit: Leading With Impact,” I’ll share more data and real-world stories backing up these trends. We’ll also go in depth on how Internal Auditors can make the most of the changing landscape — and our evolving value proposition within it.

So, let’s kick it off: How do I see Internal Audit changing?

1. Independence Is Becoming Less Important

Internal Audit’s remit is expanding. We’re being asked to do more advisory work than ever before — and to do it with the same or fewer resources.

Advisory work forces Internal Audit teams to not only provide advice, but to get in the trenches and help implement.

Those who are quick to say “Well, we can’t audit that area if we’re implementing” are missing the point.

This is what our organizations need our help with. Not just with calling balls vs. strikes while staying carefully at arm’s length. They need us working in the trenches.

It’s okay to lack independence, because objectivity is the real safeguard.

Our objectivity doesn’t ONLY come from what we observe in our work. It also comes from what we talk about in our networks, the external data we capture in our benchmarking, and the perspectives we bring on how other organizations are succeeding in the areas we’re trying to improve.

This isn’t your mother’s “third line”: hands off, focused only on testing and auditing.

This is a new era, where our objectivity: data-enabled and supported by external expertise, becomes the superpower we’ll use to help solve our organizations’ most pressing problems. 

2. Our Expanding Remit Is Redefining Our Core Value Proposition

The shift to objectivity becoming more important than our independenceis being driven by our fast-expanding remit and scope. 

In addition to many of us being responsible for driving SOX compliance, we’re leading ERM, and providing more assurance on SOC 1 and 2 controls assurance, We’re also taking on key second-line GRC functions (e.g., data loss prevention reviews, investigations, hotline oversight) and implementing connected risk.

We’re also allocating more of our audit plans to addressing our organizations’ top risks. The 2025 State of Internal Audit With SOX Responsibilities survey found that 78% of self-assessing high-value Internal Audit teams devote the majority of their audit plans to their organizations’ top 20 risks. As such, more audit plans include advisory work over emerging risk areas (with AI governance leading the charge) and audit work of go-to-market activities (e.g., sales, marketing, etc.) and engineering, innovation, strategic goals/objectives are becoming more commonplace. (Want to find out what’s actually on everyone’s audit plan in 2026? Take our short survey.)

In sum, we are spending more of our time performing advisory work — and less time on more traditional assurance activities. 

And you know what? Management puts more value on our advisory work. 

With emerging risks at the forefront, never-before-audited processes and controls, and the rapid pace of technological change bringing unprecedented challenges, they genuinely need our help.

While our assurance work will always be critical (especially to audit committees and boards), I predict that our advisory work will become more central to Internal Audit’s value proposition in 2026.

So What’s Next for Internal Audit?

These trends and their drivers interconnect, creating a self-perpetuating cycle.

This is what Internal Audit’s next era looks like. 

As the graphic illustrates, investing in knowledge sharing is an overarching necessity for supporting Internal Audit’s evolution in all of these areas. 

Also, as the 2025 State of Internal Audit With SOX Responsibilities reinforced, SOX can be a powerful lever for building the leadership buy-in and relationships critical for success.  

This next era will be new ground for most of us. We’ll have a better chance of success if we help each other through. 

The End of Internal Audit

What happens if we don’t evolve? 

If we insist on independence above all, hardening silos and limiting our ability to do the advisory projects management wants? If we don’t leverage key opportunities (e.g., SOX, connected risk) to showcase and expand our impact?

That path severely limits our value proposition.

It doesn’t lead to meaningful change or ongoing relevance. 

I honestly think that path could be the “end” of Internal Audit. 

How Internal Audit Will Redefine Its Relevance & Value

Our profession is changing. What can you do to make sure you’re keeping up? 

That’s what my December 11 webinar, “The Next Era of Internal Audit: Leading With Impact” (register here), will focus on. Beyond sharing data and stories illustrating these trends, I’ll highlight specific opportunities Internal Auditors have to capitalize on them, including: 

• Beyond breaking down cross-functional silos, we need to break down silos within Internal Audit. The triple-threat “auditors of the future” will blend IT, analytics, and business process skill sets, with ramifications for how we staff, hire, and develop our teams — and how we get promoted.
• Tech skills — particularly including data analytics skills — will reshape audit processes and redefine what makes a good Internal Audit leader. Forward-looking teams will push to replace traditional assurance responsibilities with continuous monitoring activities, audits will be shorter, and our role in them will change. 
• Our expanding remit will help our work be more relevant and impactful. In turn, we’ll develop the capabilities, relationships, and cross-functional people, process, technology, and strategy knowledge to become true change agents and connected risk architects. 
• Rebranding is on the table. While deeds are always more important than words, some teams will benefit from renaming or repositioning Internal Audit.
• Reporting relationships could change, depending on where/how we’re delivering value. 

What’s Your Plan for Transformation?

The Fortune 500 CAE I talked to was already focused on evolving his team. The Audit Committee Chair’s request just lit a fire under the question. 

It also lit a fire in me. Because I realized: I truly think Internal Audit will look very different. 

If your Audit Committee comes calling, asking what you’re doing to evolve your audit team, how will you respond? 

One solid strategy: By sharing that you’re keeping a close pulse on how Internal Audit is changing, regularly getting insights, guidance, and support from a community of high-performing audit leaders. 

Join the Internal Audit Collective. Play a role in defining, leading, and supporting Internal Audit’s next era. Eager to learn more about how Internal Audit’s foundations are shifting? Sign up yourself or a team member for FOUNDATIONS, our cohort-based training course focused on risk-based audit fundamentals for modern Internal Auditors. The next course starts November 17.

‍

[below this line is the outline you provided — keeping here for easy reference!]

‍

Outline

‍

1. Internal Audit’s Scope is expanding
   
   1. Higher percentage of audit resources allocated to top 20 risks, including emerging risks
   2. Audit’s over GTM (sales, marketing, engineering and innovation, and strategic goals and objectives) are becoming more common place.
      
      1. Want to find out what’ son your audit plan in 2025 or 2026, take our survey.
   3. As a result, IA spends a larger chunk of time performing more advisory services than assurance over traditional business processes. 
      
      1. Assurance over Gen AI 42% in 2025 for high impact audit teams, expect this to be higher in 2026.
      2. Coincidentally, the business prefers audit’s advisory work instead of their assurance work (need to cite reference).
2. Independence is becoming less important
   
   1. Advisory work forces internal audit teams to not only provide advice, but to also help implement.
   2. As discussed in year’s past, IA’s remit is also expanding to take on more SOC I and 2 controls assurance, ERM, and other key 2nd line GRC functions (e.g. data loss prevention reviews, investigations, overseeing hotline).
   3. Those that are quick to cite “well, we can’t audit that area if we implement” are missing the point. This is what our business needs help with. Not to just always call “balls and strikes.”
   4. It’s ok to lack independence because we have objectivity as our safeguard.
      
      1. Objectivity just doesn’t come from what we observed in our work. It’s what we discuss in our networks, its the data we capture in our benchmarks, its the perspectives we bring on how organizations are already succeeding where we are trying to improve.
   5. We even see it in SOX. High-maturity SOX programs are so because the SOX team isn’t just testing controls (i.e. remaining independent), they are educating control owners, partnering with business leaders on where new controls are needed when new applications are added or new business units are required. We’re coaching our Chief Accounting Officers, Corp Controllers, and CFOs on where we can trim testing efforts to reduce time spent on SOX testing by rationalizing controls and quantify and increase savings of our external auditor reliance strategy.  Hell, we’re even partnering with the external auditors more to make their lives easier, so we can make the business’ lives easier. 

‍

This isn’t your mother’s 3rd line, hands off and just testing. Those operating in the gray regarding independence are the ones that will be leading the internal audit industry forward in our new era.

‍

How Internal Audit is transitioning into a new Era

‍

1. Breaking down silos isn’t just happening across the business, it’s happening across Internal Audit’s staffing model and core competencies
   
   1. Triple threat auditor talk track. The Next Era of Interanl Audit staffing will not have separate IT and BP audit teams. They will finally become integrated.
   2. Internal Auditor’s who will succeed and become CAEs in 2030 and beyond will have the agency to expand their own skillset and critical thinking capabilities, pushing their leadership teams to give them the budget for the training they want, to place them on the projects they need to round out their experiences, and to help find them rotations in the business to improve their business acumen.

‍

2. Internal Auditors fluent in how to apply data analytics will be the most successful rolling out Gen AI. And they will do so because the Next Era of Internal Audit leadership will be pushing hard to replace their traditional assurance responsibilities with continuous monitoring activities. 
   
   1. This will result in shorter audits - where IA just needs to ensure that process and control owners are using Gen AI and continuous monitoring activities as internal audit instructed.

‍

3. Because Internal Audit’s remit is already expanding into more 2nd and 3rd line GRC work,  and because we have helped drive continuous monitoring successfully within our business, and because we are allocating more of our time for traditional audit activities to areas more important to our company’s success, we will be more relevant.

‍

4. And because of our increased relevance to the business, we will be tapped on the shoulder, or approved when we are proactively pushing to create or improve upon, our organization’s Connected Risk strategy. We will be better coordinating, collaborating, consolidated, and connecting the strategies, people, processes, and technologies across the 2nd and 3rd lines - and even using our knowledge of analytics and Gen AI here. 

We will not be seen as auditors. But we will be seen as agents of change. As Connected Risk Architects. And perhaps more of us will even be rebranding our team names to boot.

‍

5. And when we are working to help leaders to receive more reliable, and more of the information they need to make better business decisions, and the board with their oversight responsibilities, there will be increased odds that CAEs will be leading a combined governance, risk, and compliance initiative, and reporting directly to the CEO, and perhaps now even administratively to the Audit Committee Chair.

‍

Slide 1: 

‍

Internal Audit Is Changing. What’s Your Game Plan for Keeping Up?

‍

1. Redefine Internal Audit’s Value Proposition
2. How to transition from more assurance to advisory work?
3. When doing advisory work, it’s better to leverage external expertise
4. To position yourself to be seen as a source for advisory work, Internal Audit’s independence needs to be actively managed.

‍

Slide 2: 

‍

Internal Audit is doing more Advisory Work than Ever Before

‍

Summarize the following article into one slide:

Is the Traditional Internal Audit Project Losing Its Relevance?

The majority of traditional Internal Audit projects were of one basic type: the audit. That’s changing. Most Internal Audit teams are doing more advisory work than ever before.

As a result, Internal Auditors need to reimagine what assurance work can be. As more teams provide assurance on new and emerging risk areas, they should be delivering forward-looking assurance over future success — not backwards-looking assurance, highlighting what went right and wrong. 

That means traditional assurance-focused Internal Audit projects are becoming less relevant.

A Key Conversation for Internal Audit’s Future

This theme keeps coming up at the Internal Audit Collective — in roundtables, forum discussions, casual conversations, and this newsletter. 

After all, would we be talking about changing Internal Audit’s name if many teams didn’t feel that the name no longer matches what they do? 

The profession is making big strides toward being more risk-focused. Our remits and toolkits are expanding. At the same time, the new Global Internal Audit Standards differentiate less between assurance and advisory requirements than the old IPPF.  

Internal Auditors who aren’t following these industry changes will miss out. 

They’ll miss key opportunities to deliver more value. 

They’ll miss a pivotal chance to redefine who they are.

They’ll miss important chances to help their organizations when Internal Audit’s help is needed more than ever.

Sure, some people may not know how to carry out the advisory projects that they should be doing. But some don’t know when to use an advisory project versus when to use an Internal Audit project. And unfortunately, some don’t even know they could be doing advisory projects.

Long story short, the key for Internal Auditors now is understanding their organizations’ new and emerging risks and how they can participate. 

So, when should we use a traditional Internal Audit project? When would an advisory project be more appropriate? And in those cases, what are the acceptable types of projects and services we can use? 

Today, we’ll look at the binary of assurance vs. advisory, offering a basic framework to help you determine what type of advisory projects you may be able to use. Different project types involve distinct foundational elements and levers. We’ll also provide high-level overviews of key advisory-related projects commonly cited in the Internal Audit Collective community.

When to Use an Internal Audit Project

Step one is figuring out when a traditional Internal Audit project does or doesn’t suffice.

The age-old Internal Audit project — rooted in its independence and objectivity — goes well with processes that (1) have been around for a while and (2) are managing known risks.

When NOT to Use an Internal Audit Project

In what situations is a traditional Internal Audit project NOT the right tool? Key indicators include  management requests, less formalized procedures, and — most importantly — new and emerging risks. 

Some of the biggest risks to our organizations are not the known risks, but the new and emerging risks. In most cases, management hasn’t established appropriate processes, policies, or other mechanisms to manage these risks effectively. 

It’s not because of negligence. It’s just not on their radar. 

As Internal Auditors become more risk-focused, these projects are taking more of our time.  

An Internal Audit Director on the Internal Audit Collective shared that her team is spending increasing amounts of time on consulting projects outside the scope of their audit plan. It’s challenging to know how to frame these services and showcase their value — all while ensuring that Internal Audit’s advisory efforts are focused, meaningful, and aligned with organizational priorities. After all, as another CAE commented in the thread, “I find that [consulting] can take up a lot of time at the Director and above level if you aren’t clear of your focus and priorities.”

That brings us to step two: Determining which type of service it IS appropriate to provide.

On the Internal Audit Collective, different teams shared their different categories; all are valid. Organizations have wide-ranging needs and different ways of talking about things. 

But my goal here is to simplify. The four basic categories below can help guide your thought process. 

Bucket #1: Emerging Risks Unknown by the Company 

This category comes into play when a risk is unknown to the company and it could be key. 

Example Projects

In these cases, Internal Audit can help their organizations by:

• Researching and understanding whether the risk could have a significant impact on the organization’s success by conducting research using external sources (e.g., guidance from subject matter experts, content from industry-specific sources).
• Using your research to create awareness of the risk’s potential impacts with your organization’s leaders, including both threats and opportunities. The goal here is ensuring that the organization has an opportunity to take advantage of potential upsides and protect themselves from potential downsides. 

Deliverables

Memos, considerations, and/or slide deck showcasing opportunities and threats.

Level of Effort

Lower level of effort, but ongoing as the risk becomes more pronounced.

Bucket #2: Emerging Risks Known by the Company

If a key risk is known and relevant but no actions have been put in place to manage it yet, Internal Audit can advise and help establish governance processes if/as needed. 

Example Projects

In his excellent book Auditing and Disruptive Technologies, Tom Sanglier lays out a game plan for how Internal Auditors can participate in helping organizations understand and manage emerging risks related to disruptive technologies like generative AI. This may include the following project types:

• Advising on and documenting a pilot program and roles and responsibilities, helping determine whether and how the risk should be mitigated or capitalized upon.
• Monitoring and reporting on the performance of the pilot program, providing feedback to the business.

The most important aspect is the cross-functional collaboration and perspective that Internal Audit can bring to pilot process development and governance. Teams that prefer to be more independent would likely volunteer their resources toward pilot or rollout monitoring and oversight (versus actually participating).

Deliverables

Governing documents outlining roles, responsibilities, goals, and objectives of the pilot program. Ongoing status updates.

Level of Effort

Akin to participating in an enterprise-wide governance program or strategic project (i.e., three to six months of part-time involvement).

Bucket #3: Key Risks Beginning to Be Managed

When a key risk is known and processes are being established to manage it, Internal Audit has a wide range of opportunities to assist. 

Example Projects

Vail Resorts VP of Internal Audit James Wilson, Jr., put together a masterful matrix showcasing the various engagements his team can provide; he recently shared it on the Internal Audit Collective. The example Internal Audit projects below are inspired by Jim’s Service Suite. This type of categorization can be great for helping stakeholders understand the range of assistance your team can offer.

• Pre- or post-implementation reviews, providing assurance that the processes either (a) will be designed to manage the risk as intended or (b) are managing the risk effectively. 
• Gap assessments (e.g., inconsistent policies and procedures, current vs. future state) comparing actual performance against potential or desired performance to identify gaps and recommend steps to bridge them. 
• Targeted assessments (e.g., risk assessment, maturity assessment, operational improvements), assessing existing risks, processes, and/or controls to advise management on process improvement opportunities to increase efficiencies and reduce risk. 
• Targeted support for a specific business objective in which final decision-making is management’s responsibility (e.g., process and controls documentation, training, fraud examination, compiling research and information, project management support).
• Quick-hit consulting focused on ad hoc requests, providing risk mitigation advice in the form of brief risk or business insights. 

But you don’t have to stop here. These ideas represent some of the more common advisory-type engagements. However, there are more opportunities being discussed in the Internal Audit Collective community.  

Deliverables

Memos, reports, status updates, maturity models, and/or other agreed-upon deliverables.

Level of Effort

Similar to traditional audit projects, these projects would likely require planning, fieldwork, and reporting phases. Time should be allocated accordingly. 

Bucket #4: Key Risks Managed on an Ongoing Basis

If a key risk is known and processes already exist to manage it, Internal Audit can audit those processes.

Yep, this is the traditional, old-school Internal Audit project — the audit. No explanation needed here. You got this.

Time to Look Forward, Not Backward

If we want to improve our stature in our organizations, we need to stop telling people what they’ve done wrong, and start providing advice on whether their actions are setting them up for success.

To achieve this, more Internal Audit leaders should:

• Be aware of the other types of projects they can perform.
• Invest time in socializing that portfolio of services.
• Hold themselves accountable for having a broader mix of traditional assurance vs. advisory services.

The future won’t be 100% advisory services, because some of our organizations’ biggest risks have been around for ages and aren’t going anywhere (e.g., cybersecurity, hiring for the right skill sets, third-party risk management, business continuity). 

But the future is always uncertain. 

Internal Audit can be a key player in helping organizations prepare for it.

‍