Internal audit must evolve to stay relevant.
Key takeaways
The 2024 IIA Global Standards are a catalyst for change.
Audit plans must be dynamic and responsive.
Cybersecurity, supply chain and third-party risk are top priorities.
The evolving role of internal audit in a volatile world
In today's ever-changing business world, the internal audit function needs to adapt to ongoing economic uncertainties. Internal auditors need to play a more dynamic role, bringing agility, proactive strategies and a forward-thinking approach to the business.
The introduction by the Institute of Internal Auditors (IIA) of the 2024 Global Internal Audit Standards brings noteworthy changes, focusing on modernizing practices and boosting value creation. These updated standards stress aligning strategic and enterprise risks, elevating advisory services, and embracing technology and innovation. In addition, this framework supports real-time risk response through continuous audit planning cycles instead of traditional annual risk assessments.
Moving from conformity to creating value, emphasizing agility and focusing on continuous improvement is a critical evolution for internal audit programs. Indeed, internal audit programs should adopt a proactive perspective on risk and business opportunities.
To dive deeper into how these changes are reshaping internal audit functions and what they mean for your organization, watch our on-demand webinar.
Internal audit strategies for navigating persistent instability
Over the past five years, businesses have encountered numerous challenges including a global pandemic, employment concerns, geopolitical conflicts, inflation and regulatory changes. According to AuditBoard’s 2025 Audit and Beyond conference, risk and audit have been transformed in the era of what they call a “permacrisis,” or a period of ongoing and interconnected crisis. Certainly, early turmoil in 2025 has disrupted a majority of internal audit plans. This situation has reshaped risk, emphasizing the need for internal auditors to constantly reassess and update their audit plans. While traditional risks like cybersecurity, regulatory compliance and supply chain disruptions remain important, their urgency and interaction with other risks have transformed the landscape. Internal auditors must stay watchful and adaptive to ensure their audit plans stay relevant and effective.
To remain effective through continuous instability and change, internal audit plans should be viewed as living documents in navigating uncertainty. Regular meetings with leadership are crucial to realigning emerging risk priorities and adjusting audit coverage as needed. This approach allows internal auditors to remain agile and responsive to the rapidly changing risk environment. Implementing tools and processes, such as dashboards that integrate third-party data (e.g., tariff updates, policy announcements) or artificial-intelligence-based sentiment analysis, for tracking geopolitical, economic and regulatory indicators in real time, can offer early warning signs, helping internal auditors anticipate potential risks. Continuous monitoring of key risk indicators can also improve audit coverage while reducing audit time and effort.
Internal auditors should also position themselves as strategic partners to leadership, offering valuable insights and advice on enterprise risks. This shift from traditional assurance work to more advisory roles is necessary. As a key part of this transition, internal audit functions should evaluate their expertise and consider leveraging the experience of external advisors to effectively tackle new and emerging risks.
Organizational resilience and scenario planning are key focal points of internal auditors’ expanding role. Assessing crisis management protocols, supply chain alternatives and preparedness of essential functions can help organizations withstand rapid disruptions. Internal auditors should evaluate not only business processes but also resilience capabilities to ensure the organization can manage unforeseen challenges.
To accommodate a continuously evolving risk environment, internal audit functions should consider creating reserve capacity and identifying flexibility within the internal audit function to further boost agility and responsiveness. This might involve distributing unallocated hours in the budget plan or using flexible staff to quickly address emerging issues.
Internal audit plan critical areas of focus
While evaluating an organizations dynamic risk landscape, it is likely that the three risks below will be priority areas of focus for an audit plan today:
1. Cybersecurity: Cybersecurity risks are heavily influenced by complex factors like tariffs, infrastructure delays and an increase in counterfeit goods due to supply chain disruptions. Geopolitical tensions and economic difficulties worsen the risk landscape, increasing state-sponsored attacks and general cyberthreats. Evolving regulations on AI and computer chip exports, along with funding cuts to crucial cybersecurity agencies like the Cybersecurity and Infrastructure Security Agency, pose significant challenges requiring vigilant monitoring and proactive risk management.
Internal audit departments are addressing these cybersecurity issues by incorporating fundamental audits like network penetration tests, web application testing and ransomware simulations into their audit plans. These activities provide essential risk insights and assurance to stakeholders while maximizing value with limited resources. The trend toward consultative internal audits, focusing on in-depth technical evaluations of cybersecurity tools and solutions, is growing. This ensures selected tools are effectively deployed and offer the necessary visibility and protection against cyberthreats. Additionally, advisory engagements on emerging risks and technologies are becoming common, offering strategic insights without formal audit opinions.
2. Supply chain risk management: The supply chain is another area where the evolving role of internal audit is providing significant value. Post-pandemic disruptions highlight the importance of visibility and resilience in supply chains. Internal audit plays a key role in evaluating sales and operations planning, production capacity, profitability and supplier risk profiles. Utilizing technology and data analytics, internal audit can offer insights into demand planning, benchmark manufacturing sites and assess supplier viability. These efforts help organizations optimize supply chain operations, mitigate risks and improve overall business performance.
3. Third-party risk management: With a growing reliance on external vendors, third-party risk management (TPRM) is essential in today's interconnected business environment. Internal audit programs must evaluate risks posed by suppliers, including operational disruptions, cyberthreats, financial instability and reputational impacts. Effective TPRM involves comprehensive management from engagement to termination, ensuring continuous monitoring of high-risk issues identified during due diligence. Common pitfalls, such as insufficient risk classification and inconsistent vendor monitoring, can be addressed through thorough internal audit assessments, offering actionable recommendations to enhance TPRM practices.
The takeaway
To navigate the evolving risk landscape, internal audit must embrace change and adapt by implementing new strategies. Treating audit plans as dynamic documents, using real-time tracking tools and positioning the function as a strategic partner are essential. Scenario planning, auditing organizational resilience and building agility are crucial as well. Internal auditors should remain proactive and responsive to provide valuable insights and support, helping the organization navigate complexities and emerge stronger.
The future of internal audit will be shaped by adaptability, technological integration and strategic alignment. Internal auditors must be comfortable amid uncertainty and continually learn and leverage innovation to improve risk coverage. Collaborating with enterprise risk management functions and maintaining strong alignment with external advisors are vital for delivering effective insights. By positioning themselves as business partners, internal auditors can ensure relevance and contribute significantly to organizational success. The 2024 IIA Global Standards offer a framework for this transformation, enabling internal audit programs to operate with a risk-intelligent, forward-looking perspective.
Related insights
Risk assessments
A risk management assessment can help determine how your organization can leverage internal audits as a competitive advantage.
