The internal audit profession has been grappling with a greater array of responsibilities beyond checking up on corporate finances, including vetting companies’ cybersecurity and use of artificial intelligence.
The Institute of Internal Auditors has been introducing what it calls “Topical Requirements,” starting with cybersecurity and moving onto other topics, in addition to rolling out an updated set of Global Internal Audit Standards, which took effect in January.
“The next one is called organizational behavior, aka culture,” said IIA president and CEO Anthony Pugliese. “Culture doesn’t translate the same in every part of the world, and even in the U.S. Sometimes people think culture just means, do people like working there? That is a part of it, but it’s not the part we focus on. We focus on the culture’s attunement to risk, and tolerance of risk, and how they approach risk. We look at whether employees are happy, but that all plays into whether they’re comfortable reporting risks and reacting to risks. That’s very important since the pandemic, with all the supply chain issues that are coming out of tariffs and things like that.”
Internal auditors now find themselves dealing with risks of various kinds. “The internal audit profession is operating in one of the most complex environments in its history,” said Richard Chambers, a senior advisor on risk and audit at the technology company AuditBoard and former president and CEO of the IIA. “We’re battling a shrinking talent pipeline, falling short on IT expertise, and navigating new regulatory changes, all while trying to keep pace with emerging risks that evolve faster than most audit plans can track.”
The IIA has been expanding globally as the profession seeks more talent. “We admitted Cameroon in Africa, and we also admitted Georgia in Eastern Europe into the federation,” said Pugliese. “There are different levels of admission. When you’re a global chapter, that just means you’re loosely organized, and you’re doing some things to help the profession, and we support it. But when you rise to the level of a national institute, that’s when you get the official name, like IIA Georgia, IIA Cameroon. Those two countries hit the benchmarks of growth and numbers and governance in place.”
The IIA has now grown to about 270,000 members around the world, he added. It’s part of COSO, the Committee of Sponsoring Organizations of the Treadway Commission, along with the American Institute of CPAs, the American Accounting Association, Financial Executives International and the Institute of Management Accountants. In May, COSO and the National Association of Corporate Directors released an exposure draft of a proposed Corporate Governance Framework, but in July decided to withdraw it, citing the shifting regulatory and economic landscape for U.S. businesses after passage of the One Big Beautiful Bill Act.
“There was a sense of, did it expose too much liability to organizations that followed it?” said Pugliese “And that’s a good question to ask. That’s not the intention, to cause an organization to get sued because they followed guidance from COSO. So it was more like, let’s pull it so we can think about that and then put it back out.”
He said the proposed framework seemed to hit a soft spot, but he predicts it will re-emerge eventually.
The auditing profession has been evolving steadily over the years. “I have witnessed an enormous amount of change in the time that I’ve been a part of this profession,” said Chambers. “In the early years, the imperative that auditors pursued is what I’ve referred to as hindsight. We were very much focused on what happened in the past — what happened last year, last week, last month, were the controls designed and implemented effectively, was there accountability? It was always about looking in the rear-view mirror.”
Internal auditors are providing more forward-thinking advice to their organizations. “Throughout the latter half of the 20th century, auditors began to focus not just on hindsight, but giving a more contemporary perspective — not just looking at what happened, but looking at what is happening,” he added. “That’s what we start to talk about auditors providing insight. Continuing to look behind us, but also looking around us to provide perspectives, assurance and advice while it’s still timely enough to make a difference.”
Auditors need to offer fresh perspectives as they eye the future. “In today’s regulatory environment, auditors are increasingly being called upon to provide foresight,” said Chambers. “This is where we begin to look forward — to anticipate risks, identify emerging trends, and provide strategic advice that helps our organizations become more resilient and agile. Foresight doesn’t mean forecasting the future with certainty, but it does mean leveraging the right data and technology and our understanding of risk to help the organization be better prepared for what might lie ahead.”
Companies need to be more forward-looking now as they face risks beyond just ensuring Sarbanes-Oxley compliance. “Audit and SOX are a component of overall enterprise risk,” said AuditBoard CEO Raul Villar Jr. “Our goal is to connect risk across the enterprise, and we believe we’re uniquely suited to do that. We have a huge base of really loyal customers.”
Like the IIA, AuditBoard has been expanding into areas such as cybersecurity and governance. “If you just think about some of the hottest topics that we read about every day — cybersecurity, AI governance — these are topics that the largest companies in the world are looking to AuditBoard, saying, ‘How can we create this enterprise risk assessment for all these topics and include these?'” said Villar. “This is what their boardroom is looking for. What’s going on with cybersecurity at the firm? What’s going on with AI? How are we governing the tools? How are we enabling our employees to leverage it, but protecting the firm? Because it’s a new technology. The people we work with, the larger companies, are actually more conservative than smaller companies. They’re taking a really cautious posture, but they’re looking for guidance.”
Over half of Fortune 500 companies use AuditBoard, Villar noted, including seven of the largest 10 companies in the world.
Regulatory changes and new standards
Regulatory changes have been affecting the auditing profession and influencing its future direction. “The regulatory landscape has shifted and as a result, so has the auditing profession,” said Chambers. “We’re seeing heightened scrutiny around ESG reporting, cybersecurity oversight, fraud risk and AI governance, all of which are redefining the scope and complexity of what auditors are expected to assess. For the future of the auditing profession, this means transformation is not optional; it’s essential. Auditors must embrace continuous learning, develop fluency in new and emerging risk areas, and integrate trusted AI into their workflows.”
The changes have been one reason why the IIA decided to update its Global Internal Audit Standards. “We had something similar before, but in 2021, after I started, we decided it was time for a wholesale rewrite, not because the old ones were wrong,” said Pugliese. “They were simply outdated, and not all in the technical ways, but more in the approaches that we wanted our members to take, like more active communications with boards, almost to the point of saying you need to talk to your board or audit committee, and if you cannot, then you need to document the reasons why.”
The IIA wanted to introduce the concept of public interest as part of its standards. “We believe we also act in the public interest, although in a less direct way than external auditors,” said Pugliese. “We still provide boards the data they need to lead governance within an organization.”
So far, the updated standards have been well received by IIA members. “We really did see a great reaction, because we wanted to position them to help members with all the challenges they were facing, and as best we could stand the test of time and not need to be rewritten next year,” said Pugliese. “I think we hit the balance. We’ll keep our eyes and ears open, but they became required in January. We had a full year implementation period, and we’re hearing good things about it.”
AI’s role in audit
Internal auditors are starting to leverage artificial intelligence as a tool for evaluating companies.
“I believe more audit leaders will invest in AI in today’s regulatory climate,” said Chambers. “The volume, velocity and variety of data that auditors must assess have grown exponentially. Manual approaches are no longer sufficient.”
AuditBoard has been making more use of AI as well. “Clearly our platform today is infused with AI throughout,” said Villar. “It’s a huge opportunity for us to simplify some of the mundane tasks that auditors have to use today. Our ability to enable them to streamline those activities is really helpful on the risk side. We are really encouraging our clients to treat AI like any other risk within the company. Everywhere they use AI in the organization, what are the controls that they’re measuring and managing? Where’s the data coming from? That’s probably the most important thing, ensuring data integrity. We saw some early missteps with AI, so we want to make sure you know that our clients are taking into account all the different regulations, but ensuring that they understand where the data is coming from. We provide them the framework to do that, and they treat it like another major risk element across the firm.
The role of the auditor is likely to continue evolving in the years ahead. “Over the next few years, the role of the internal auditor will evolve dramatically — from a traditional focus on hindsight to becoming a forward-looking, tech-enabled strategic partner,” said Chambers. “As regulatory demands around ESG, cybersecurity, and AI governance intensify, auditors will be expected to anticipate emerging risks, deliver real-time insights, and contribute directly to organizational resilience. With data analytics and AI becoming core to audit operations, audit professionals will need to master new technologies while cultivating deep business acumen and agility. This transformation also demands a shift in perception—from compliance enforcers to value creators and trusted advisors. The auditors of the future must be continuous learners, tech-literate thinkers, and proactive communicators who help shape strategy, foster stakeholder trust, and navigate uncertainty with confidence.”
