This week, we’re digging in on the finding that audit specialization tends to increase with team size: “Small teams tend to act as generalists, focusing on controls and foundational financial cycles (e.g., AR) to ensure basic corporate hygiene. Larger teams are nearly twice as likely to tackle complex audits such as revenue operations and IAM.”

The thing is — I know plenty of small Internal Audit teams who specialize. They’re doing risk-based audits and advisory projects alongside the “required” audits. So we interviewed three of them: Director of Internal Audit Dawn Vogel, SVP of ERM and Internal Audit Jay Alverson, and VP of Internal Audit Stephen Arietta.

So, what hurdles do small audit teams face on the path to more risk-based auditing? More importantly, how can they allocate their limited resources to more effectively address their organizations’ top risks? 

Hurdle #1: Your Core Remit Has to Come First

Most Internal Audit teams would prefer to be risk-based. But every team has limited resources, and every team has to complete their nonnegotiable work before they can consider any other projects. 

For many small teams, the lack of specialization comes down to time and resource constraints. Also, as Dawn pointed out, in many small companies, the lion’s share of SOX and controls work falls to Internal Audit simply because (1) everyone in the organization is balancing their workload with resource constraints and (2) Internal Audit has the most relevant experience in these areas. 

“You do have to accomplish what you're originally asked to do. So if you're at a startup (pre-IPO or newly IPO), establishing a foundation for the SOX program is often the first remit. If you're brought in to transform or stabilize a function, you have to understand where the team is and build a roadmap to where you want to lead it,” said Stephen. “If you don't accomplish the original requests of the Audit Committee and Executive Management, then it’s going to be tough to do more beyond that.” Indeed, Stephen built his company’s Internal Audit function from scratch. His four-person team spends ~60–65% of their time on SOX, but they’ve built up to 4–5 additional projects annually.

What Works

Be Amazing at Your Core Responsibilities 

Your core remit is an opportunity to prove your expertise and value. Indeed, viewing SOX as a lever for building Internal Audit’s reputation/relationships and gaining trusted-advisor status is a core hypothesis of the Internal Audit Collective. 

For example, even though Dawn is a seasoned CAE-level auditor with decades of experience, when she started at a new organization in 2025, she jumped into the trenches to do SOX testing to help support the External Audit strategy. 

The reality is that, on Dawn’s three-person audit team, everyone shares the load. “We need to help. But I look at it as a way to get in,” said Dawn. “How do you establish trust, credibility, and context? For me, being new, it’s just getting in there and helping wherever they need help. It helps me understand the business, it helps management, and both go a long way toward building relationships and credibility. So down the road, when there are more resources to do other projects, management will know who I am. They’ll have trust in my abilities, and that will make the other things easier.”

Automate Key Aspects of Traditional Audits 

Prioritize audit automation that helps your team carve out future bandwidth. Instead of starting from scratch every year, look for opportunities to use automation to support continuous auditing in areas like Procurement, Payroll, HR, and Pcards. 

Jay’s team uses AI and analytics to automate as much of their traditional audit work as they can. This approach helps the four-person team oversee both ERM and 12 audit projects annually. (They don’t have SOX responsibilities.) For example, they’ve automated much of their T&E auditing. Key analytics on identified T&E risks tell them what they need to know, enabling them to drill down only if/where needed. 

Supplement Your Team — and Rethink Who Does What

While Dawn’s three-person team spends 50–60% of their time on SOX, they’re actually planning 6–8 audit projects in 2026, including priority projects around AI governance, data governance, and a new system implementation review. To make this workload possible, they supplement their team with temps and co-sourcing providers who work under their supervision. Plus, as mentioned, the three core team members — a VP, Director, and Senior Auditor — are right in the trenches themselves. 

Hurdle #2: Limited Relationships Limit Your Knowledge

The top 2026 audit topics for teams of any size — i.e., cybersecurity, fraud, ERM, general control reviews, procurement/vendor management, IAM, external auditor assistance, corporate compliance, IT operations, and third-party compliance — read like a laundry list of typical CFO and CIO priorities. 

CAEs’ traditional administrative reporting line to the CFO undoubtedly impacts Internal Audit’s agenda, and most small-company CIOs also report to the CFO. Beyond this, Internal Audit relationships typically include IT, Risk, Compliance, Supply Chain, HR, and General Counsel — mostly second-line functions. Creating risk-based audit plans that better align with first-line priorities requires reaching beyond these relationships. 

As Stephen put it, “Building relationships in an organization sets the foundation for what audit can do.” He added, “CFOs have very good insights, and I’ve gotten a lot of ideas from CFOs I've worked with. But there's a whole other world of leaders who don't think like a financial executive. When you hear about what they care about and what's troubling them, that's where doors and ideas open up to other areas of the business where Internal Audit can help.” 

What Works

Invest in Relationships With First-Line Executives

Getting better information about risks and priorities involves face time with first-line executives in various parts of the business. Said Stephen, “If I’m a CAE struggling to get past basic or repetitive audits, I need to think more broadly. That requires getting face time with key executives. But it’s not just getting in front of executives — it’s building relationships and trust over time so you can really learn and understand what is important for them.”

Conduct Open-Ended Conversations — in Their Language

It’s difficult to align audit efforts with executive priorities if you can’t drill down to what they really care about. “If you talk from a pure risk, impact, and likelihood perspective, you limit how other executives think. So I try to get myself into their world, rather than force them into my world,” explained Stephen. “Risk is at the foundation of everything we do as auditors, but I try not to get too stuck on the word risk. So if you’re an executive and I’m there to talk to you about risk, we can be talking about anything — what frustrates you, what you think could go wrong, what you think we're missing out on.”

Hurdle #3: Business Acumen Is a Prerequisite for Trust/Access

The bottom line here is easy to understand, and Jay said it perfectly: “In every regard you must have business acumen to gain trust and credibility and understand organizational context.”

What Works

Lean In on Self-Education

“We go out and do our own research — we educate ourselves on issues facing our business,” said Jay. Proactively researching your organization’s key risks, operations, and processes beyond traditional focus areas will help you be more effective and confident in talking with stakeholders. 

Meet Regularly with First-Line Stakeholders

One-on-one conversations with first-line leaders are critical for increasing acumen and better understanding context. Jay and his Audit Senior Director Lynn Ranf maintain monthly, bimonthly, or quarterly meetings with over 45 key individuals across their organization. It’s a heavy investment that pays ongoing dividends, enabling them to learn the language and pick up business and process knowledge. It also pays huge dividends in establishing trust and rapport. 

Stephen advised, “Having your fingers on different pulses helps you know what’s really happening. So when you get to more tactical audit projects, you can have more focused questions, talk topically about the right things, and dig deeper where pain points exist.”

Increase Alignment With Iteration and Collaboration

Dawn emphasized how wide-ranging relationships improve collaboration, knowledge sharing, and audit quality and prioritization. “It should be an iterative process where you’re pumping up your risk assessment, your knowledge, and your draft plans with various levels of leadership within the organization. If you’re bringing them in at the right times — if you’ve got a good relationship and a solid understanding of the business — there should be less inconsistency between what management and Internal Audit views as key risks.”

She continued, “I really think it boils down to understanding the business and having relationships across it. If there's ever a disconnect between management and Internal Audit related to what Internal Audit should be auditing, go to one of those two areas to figure out how to fix it.” 

Hurdle #4: Your Reputation/Brand Won’t Build Itself

Your team’s brand is a critical foundation for earning access to more opportunities in other areas of the business. But it’s up to you to build your brand so that everyone in your organization knows who you are and how you can help.

What Works

Emphasize the Importance — and Scope — of Your Brand

Stephen’s current team is the first Internal Audit function his company has ever had. That’s why he continually reinforces to his team, “We are creating what Internal Audit is here. And I always use the word ‘brand,’ because everything we do reflects that.” If there are essentials your team doesn’t deliver or the quality or timeliness of their work is lacking, that damages your brand. 

Lead by Example

Dawn appreciates how her prior and current CAEs set the brand standard. “They focused first on the relationship component and understanding the business themselves, and that trickles down. Then they focused on how everyone on the team needs to understand the business, and promoted reaching out and building relationships.” 

Hurdle #5: You’re ONLY Thinking Like an Auditor

“Thinking like an auditor” is absolutely something to be proud of. Problems arise, however, when you let that mindset limit you. Adopting a more strategic mindset helps small teams move beyond basic audits. 

Said Stephen, “Don’t get stuck in needing to be in an auditor mindset all the time. Obviously, the audit is always the core of what we do. But the people I've come across in my career who are successful in this area can go beyond that audit world and say, ‘I'm a partner to the business’.”

What Works

Get Creative and Curious

“We start with the strategic priorities of the organization and work backwards. That's not to say we don't consider traditional audits,” said Jay. “But we start by being risk-based. What are our strategic priorities? Of that, what is auditable? And the answer is — much of it is audible, if you apply your mind to it.”

“I've always been of the mindset that you can break any business activity down into a process,” said Jay. “So it's applying the loose framework that you know how to work with, getting curious about an area, and then doing what you need to do to educate yourself.”

Get Perspectives From Across the Business

Jay and Lynn regularly assess who the team is networking with across the business, literally mapping it out against their risk universe. They intentionally set out to regularly engage with stakeholders outside of traditional Internal Audit relationships, helping them build their business acumen and ensure ongoing relevance and value.

Develop or Source Strategic Thinkers for Your Team

As Jay pointed out, you need to be the right kind of leader — but you also need a team who can follow where you lead. That may mean helping your team members think more strategically, or staffing your team with candidates from outside traditional Internal Audit talent pools.

Hurdle #6: “Audits” Imply Criticism & Judgment

Internal Auditors are still too often seen by the business as “police” who drop in and point out problems, rather than trusted advisors they can count on to help them solve their problems. Also, in startups and other small companies, many people haven’t worked with Internal Audit before. And what they do know doesn’t typically make them excited to work with us.

As a result, some Internal Audit teams get stuck in the starting blocks, requiring them to spend time “selling” Internal Audit’s value that would be better invested in executing audit projects. 

What Works

Lead With Consulting

Jay’s team finds that leading with consulting open doors across the business. “Consulting wins people over. Especially in areas that you haven't audited before: They hear ‘audit’ and they want to run. So that's been very effective. Our board loves it. Management loves it. And I'm glad to see The IIA embracing it and recognizing it as a key tool in the toolbox.”

Prioritize Problem Solving Over Problem Identification

Dawn’s team is also starting with advisory projects related to key business objectives. “Our company is evolving, and we're trying to evolve, too. Advisory work like data governance and AI governance are on the audit plan, but we’re in an advisory role. There's just more value in helping them understand controls — what there is, and what they may need — and giving them an opportunity to implement those controls before we go in and provide an opinion.”  

Be Strategic 

You’ll shoot yourself in the foot if you start with an audit project that doesn’t end up providing value. So, as Stephen advises, “If you’re going to start doing operational audits that haven’t been done before, you’ve got to be strategic about where you can really deliver value. Because it’s almost like a proof of concept.” 

Stephen suggests starting with areas where there are known issues or executives expressing a clear need (e.g., visibility/access to information, analytics, implementation reviews). “You don’t know what you’re going to find, but you know there will be an audit report delivering tangible value that an executive will actually read.”

Be Realistic 

Based on your team’s skill sets, strengths, and bandwidth, Stephen suggests getting specific and tactical about where your team can add value. It won’t help to propose audits over all of your organization’s key risk areas if you don’t understand if/how you’ll be able to provide audit/consulting services. 

So, ask yourself: Where is your team most likely to get a win that genuinely helps the organization? Start there.

THE LAST WORD: How Will You Do Things Differently in 2026?

Whatever your team’s size, your audit plan is a reflection of who your Internal Audit team is talking to. 

Teams whose audit plans only include the usual “top ten” audits are probably not talking to first-line leaders in areas like sales, marketing, and product development.

We all do our best to fit in as many audit projects as we can. But every team has a vital opportunity to spend more time on the risks and priorities our business leaders genuinely care about.

As these three incredible leaders reinforced, that starts with being amazing at our fundamentals. It also requires trusted relationships in more parts of the organization, business acumen and strategic thinking, and reputations that open doors and break down preconceptions. 

This is how we’ll create opportunities to be more risk-based. To do more than audit the same things we’ve always audited. To do more than audit, period. 

The Internal Audit Collective exists to help you be amazing at what you do, and to develop the community, knowledge base, courage, and support you need to start doing things differently. 

What will you do differently in 2026? Propose a new audit in an area of strategic importance? Build out a plan to expand your team’s relationships? Embrace assurance mapping to improve collaboration? Use your cybersecurity audit to provide value beyond point-in-time assurance? 

Stay tuned, because we’ll do everything we can to help you get there. To start: A roundtable on auditing go-to-market activities (register here). Best-selling author Larry Kaufman on building deeper management relationships (register here). Monthly roundtables on upping your cybersecurity game. An article on T&E audit best practices, using automation to create time you can use elsewhere.

And we’ll keep it coming. So let us know: How can the Internal Audit Collective help you in 2026? 

‍