Internal Audit Meets Intelligence

Internal audit is at a defining moment. Boards no longer settle for compliance; they expect foresight, governance, and measurable impact. The Global Internal Audit Standards, effective January 2025, redefine what excellence means, emphasizing purpose, measurable outcomes, and alignment with enterprise strategy. This inflection point calls for audit leaders to move beyond compliance and step up as strategic partners who shape AI governance, unite hybrid teams, and deliver assurance that translates into measurable enterprise value. The Standards introduce Topical Requirements; mandatory areas such as cybersecurity, third-party governance, and soon fraud risk management and AI oversight; that every internal audit function must address remain compliant and relevant. A recent Boston Consulting Group (BCG) study found that only five percent of companies are “future ready” and achieving scalable AI value, yet with Agentic AI already accounting for seventeen percent of AI value in 2025 and projected to reach twenty-nine percent by 2028, internal audit can close this gap by providing independent assurance over AI governance and by reporting business impact in terms that boards understand. 

Topical Requirements in Detail

The IIA has issued Topical Requirements for cybersecurity, third-party, and supply chain governance. Audit must assess cyber risk strategy, board oversight, incident response readiness, data governance, vendor due diligence, contract risk, service continuity, and ESG exposure across suppliers. 

Near-term Topical Requirements in development include fraud risk management (detection controls and whistleblower programs) and AI and digital governance (model inventory and lineage, validation and performance monitoring, bias and ethical testing). Failure to explicitly document measurable assurance in these domains risks non-conformance during external quality assessments. 

What the Profession Is Hearing from the Market

 

Firm	Message	Source
Deloitte	Internal audits should act as anticipatory partners, embedding GenAI, cyber, and transformation oversight to provide forward-looking, decision-useful assurance.	Deloitte – Hot Topics in Internal Audit 2025
KPMG	Digital ethics, data governance, and algorithmic bias are audit committee priorities.	KPMG – Audit Committee Insights 2025
EY	EY positions internal audit as the governance backbone, assuring cloud and AI transformations.	EY – Trust by Design
PwC	Internal audits must translate technical AI findings into strategic, decision-practical recommendations and provide evidence-based assurance of responsible AI deployment.	PwC – Responsible AI and Internal Audit

These market signals are clear. But how does this translate into day-to-day audit execution? The answer lies in how technology is reshaping SOX programs. Boards echo these expectations. They don't just want insights, they want forward-looking insights on cyber resilience, ESG, and AI governance. This is where the audit function's true value lies, in providing proactive strategic insights that can shape the future of the organization. 

Technology in SOX Audits 

SOX programs are evolving rapidly. 

• Robotic Process Automation (RPA): Streamlines reconciliations and control testing. Some audit teams now run nightly reconciliations of vendor payments, instantly flagging duplicates that previously took days to detect. 
• Generative AI: Drafts walkthrough narratives and control descriptions, but auditors must retain ownership of judgment. A single model can summarize hundreds of control documents in minutes into a consistent summary for board review. Every AI-produced narrative should be reperformable by a human reviewer, with precision controls in place to confirm accuracy, completeness, and alignment with the underlying evidence. 
• Agentic AI: Autonomously selects samples and validates evidence. When anomalies are detected in journal entries, it expands the sample size and compiles supporting evidence for auditors. The sample-selection logic, including thresholds, risk-scoring criteria, and exception-handling rules should be clearly documented so the process remains explainable, reproducible, and defensible. 
• Machine Learning (ML): Analyzes historical data to highlight unusual journal entries or suspicious access logs, such as a user accessing sensitive financial systems at odd hours. 

Comparison of Audit Technologies 

The Securities and Exchange Commission (SEC) and the Public Company Accounting Oversight Board (PCAOB) have acknowledged that technology and data-driven tools can significantly enhance the effectiveness of audit procedures. However, they continue to stress that auditors must carefully design, test, and document governance, control coverage, and reliability of evidence before placing reliance on technology-generated results. When relying on AI-generated evidence, auditors should keep thorough documentation that demonstrates how conclusions were reached. This includes records of model validation results, reproducible sampling logic, explainability metrics, data lineage, and evidence provenance to show that the information is reliable and independently verifiable. 

These artifacts demonstrate that audit conclusions are supported by independently verifiable data, in line with PCAOB AS 1105 on audit evidence and SEC expectations for technology governance. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) and ISACA provide complementary guidance that technology can strengthen internal control only when the supporting IT general controls, vendor oversight, and mappings to COSO’s five components are properly governed and validated through testing. 

Governing AI with Audit-Ready Controls

AI without governance creates unacceptable risk to strategy, operations, and reputation. Internal audit must ensure: 

• Model inventory and lineage tracking: Model inventory, lineage, ownership, and source/version metadata. 
• Validation and performance monitoring: Model validation, performance monitoring, drift detection, and retraining governance. 
• Bias and ethical risk testing: Statistical bias testing, outcome impact assessments, and remediation tracking. 
• Transparent audit trails: Keep clear and tamper-proof records showing exactly who accessed or changed data and when. A solid audit trail should make every action traceable, verifiable, and easy to review. 
• Cross-functional oversight: Governance with documented roles, escalation paths, and SLA metrics. 
• Agentic AI system guardrails: 
  Auditors should verify that appropriate operational safeguards are in place. These include: 

• Clearly defined scope limits. 
• An emergency “kill switch” to halt unintended actions. 
• Automated activity logs for transparency. 
• Performance thresholds that trigger human review. 
• Periodic retraining service-level agreements (SLAs).

Together, these controls help ensure that autonomous AI agents operate within approved boundaries, maintain accountability, and remain fully auditable. 

• Third-party AI vendor assurance: 
  When third-party vendors provide AI capabilities, audit should review: 

• Model risk management frameworks. 
• Service-level agreements (SLAs). 
• Change-notification clauses. 
• Contracts including auditor access rights. 
• Requirements for timely disclosure of model updates or retraining events. 
• Periodic independent validation reports from vendors.

Cybersecurity assurance is now a core expectation under the 2025 standards. Audit must evaluate cyber resilience, incident response, and data governance, especially where AI intersects with sensitive data. BCG emphasizes that the real value of transformation comes from people and processes, not just from technology or algorithms. Internal audit plays a central role in connecting these elements and ensuring that innovation translates into measurable business results. 

Building Hybrid Teams

Tomorrow’s audit function is multidisciplinary. Hybrid teams combine auditors, data scientists, cybersecurity specialists, and ethicists. Practical steps include: 

• Rotations and secondments to build operational fluency. 
• Hands-on AI learning pathways. 
• Incentives tied to outcomes. 
• Strategic sourcing to fill digital skill gaps.

Future-ready companies upskill more than half their workforce in AI literacy. Audit must follow this trend. 

Measuring Impact That Boards Understand 

Boards fund outcomes, not activities. 

For "Value Preserved or Created," audit teams should establish a clear baseline, such as prior-year losses, process inefficiencies, or detected fraud rates, then estimate measurable improvements directly attributable to audit interventions. 

Applying confidence ranges (for example, ±10%) helps demonstrate that the results are conservative and evidence-based, giving boards greater confidence in the credibility of reported value. 

Navigating Emerging Risks and Ethical Tensions

As internal audit integrates advanced analytics, it must actively manage heightened risks: overreliance on opaque models, workforce skill gaps, cultural resistance to findings, rising regulatory scrutiny, and ethical accountability for AI and ESG outcomes. 

Roadmap for Chief Audit Executives 

• First 90 days: Publish an AI governance framework and model inventory to build visible board engagement. 
• Three to six months: Pilot RPA, generative AI reporting, and agentic sampling to generate early insights. 
• Three to nine months: Launch a talent drive, hire a data lead, and conduct board workshops on AI and cyber risk. 
• Nine to twelve months: Scale pilots and publish impact briefs to institutionalize innovation and influence budget decisions.

From Audit to Advisory Influence

• A major U.S. natural-gas utility with more than two million customers found that manual reviews of vendor invoices were slowing down operations and leaving room for errors. To address this, the company introduced robotic process automation (RPA) to handle duplicate-invoice validation. What previously took around 45 minutes per invoice was reduced to just five minutes, improving efficiency by nearly 800 percent and saving the organization about USD 944,000 every year. 
  Source: Roboyo Case Study – Utilities: Delivering Next-Level Duplicate Invoice Validation 
• Building on similar automation principles, many internal audit teams are extending these techniques to real-time reconciliations, continuous controls monitoring, and vendor-payment analytics. Combining generative AI for summarizing contracts and machine learning for vendor risk scoring, audit functions can evolve from compliance assurance to strategic advisory roles, delivering predictive insights, strengthening financial resilience, and enhancing board confidence in the audit function. 

ESG and Climate Finance

The role of internal audit in ESG and climate finance continues to grow. Organizations now expect audit teams to verify the accuracy of ESG data and disclosures, evaluate how responsibly AI is used, review governance over climate-linked instruments, and embed ESG metrics into enterprise risk management. Global frameworks such as the Task Force on Climate-related Financial Disclosures (TCFD) and the International Sustainability Standards Board (ISSB) under IFRS S1 and S2 are creating consistent expectations for transparency and assurance. Internal audit should confirm that sustainability reporting aligns with these standards and that governance practices meet both regulatory and stakeholder expectations. 

As organizations apply AI models to ESG and climate data, auditors also need to consider data privacy, security, and cross-border transfer risks. Regulations such as the EU’s GDPR, the UAE Data Protection Law, and several U.S. state privacy acts may limit data movement or require explicit consent for ESG-related data processing. Audit should verify that AI systems comply with data-residency and anonymization rules and that third-party cloud providers follow appropriate governance controls. Finally, generative AI and machine learning can make ESG assurance more effective by summarizing complex contracts, assessing sustainability risks, and automating disclosure testing, helping audit functions deliver assurance that is consistent, scalable, and defensible. 

Conclusion

The future of audit isn’t about choosing between compliance and innovation—it’s about mastering both. As AI and analytics reshape governance, now’s the time for audit leaders to upskill, rethink assurance, and lead the conversation on responsible intelligence. The organizations that do will not just keep pace, they’ll define what “audit excellence” means in 2025 and beyond.