Amid continuous technological, regulatory, and financial transformation, the internal audit function is evolving into more of a strategic advisor to management and boards, as opposed to a pure assurance function. 

This shift has come more naturally to organizations on the forefront of risk management, technology adoption, and talent upskilling but has been a steeper curve for more conventional leaders who’ve kept internal audit siloed. In conversations with regulators, auditors, and risk leaders in financial services at 2024’s RMA Annual Internal Audit Conference, CrossCountry Consulting’s Integrated Risk Management experts discussed and delivered some of these central themes driving the internal audit function of the future. 

Explore takeaways for 2025: 

Harnessing AI’s Impact and Influence 

For companies able to capture the value potential of AI, it can be deployed strategically within internal audit as an accelerator while still preventing the introduction of undue risk. For example, internal auditors can leverage AI for analyzing large inventories of documents and preparing summaries.  

But the path to adoption hasn’t been smooth to date. Although an estimated 55% of businesses are implementing AI, just 2-4% of internal audit teams have made any AI progress at all. 

Additionally, AI requires large amounts of computing power, data, and access, which companies may not have established to date. This cloud infrastructure, however, is the foundation for experimenting with AI-powered data analytics at a scale needed to deliver tangible cost and labor savings within internal audit. On the personnel side, without the right talent and training, AI adoption won’t occur organically or add any strategic value. Auditors must grapple with immediate audit demands while remaining ahead of the AI curve. 

Cybersecurity’s Critical Points of Exposure 

Particularly with the additional risk exposure of GenAI, a tenuous geopolitical landscape, and recent election cycles potentially changing policy, cyber threats continue to be a key theme. During opening remarks, the IIA Global BoD Chairwoman noted that the 2025 Risk in Focus study performed by the IIA indicates cybersecurity continues to be the No. 1 risk worldwide, with digital disruption (including AI) and climate change/environmental risk both climbing year over year. These study results indicate that for audit teams to build proficiency and perform more strategic audits, they may require a different way of approaching audits. Moving forward, this might also require different talent and skill sets. 

Similarly, during the Operational Resilience discussion jointly presented by Deloitte and CrossCountry’s Cameron Over, Risk Advisory Partner and National Cyber Leader, conversations focused on: 

  • The increasing regulatory landscape. 
  • The proliferation of cyber threats to organizations, largely through vendors or third parties. 
  • The need for organizations to consider key resilience and reliance gaps for their trusted vendors in the wake of the CrowdStrike software update failure
  • The consideration of deeper testing rigor, including scenario-based testing using insights from threat intelligence. 

Emerging Regulatory Trends and Risks 

Regulators in attendance at RMA provided critical insights into the trends they’re seeing and how businesses can adjust their perspectives accordingly. For instance, internal audit faces a more complex role with global footprints expanding, and they must decide which type of auditing program is most efficient: continuous monitoring or scheduled audits. 

Because regulators are talking to first, second, and third lines of defense, it’s imperative that non-auditor experts are also involved in high-level risk management discussions. This reality emphasizes the need for greater collaboration across lines of defense and between corporate functions to ensure a systematic approach to risk and audit. 

Other key themes included: 

  • Evolve risk assessments from qualitative to quantitative. 
  • Understand third- and fourth-party risks to ensure adequate monitoring and audit coverage. 
  • Auditors must be curious about new and emerging risks and leverage technology to identify these risks. A few ways to uncover emerging risks are to coordinate with all lines of business, establish a common nomenclature, and read risk publications, speeches, and public orders. 
  • Internal audit must be involved in M&A due diligence and the implementation of automation and GenAI systems. 
  • Practice the story and the delivery of audit findings with executives and key stakeholders to ensure the right message, recommendations, and angles are being communicated. When sharing results, have an open dialogue with core groups to make audit findings more impactful. 

Aligning 3 Lines of Defense 

Sometimes referred to as “connected risk” or “threelignment,” the more integrated and collaborative the three lines of defense are, the more positive the outcomes. Some of the best ways organizations can establish and enhance these points of connectivity are by: 

  • Having all teams provide feedback early and often in support of the enterprise at large. Risks, threats, and opportunities should be openly communicated and workshopped so that risk, compliance, and audit functions aren’t just designed to protect value but to create value as well. 
  • Prioritizing units under regulatory scrutiny so that attention is focused where it can have the most impact. 
  • Using IT as an enabler and accelerator to aligning three lines of defense across teams, systems, and processes. This includes the adoption of comprehensive GRC platforms and data aggregation tools. 

As these groups collaborate more effectively, they provide a more consistent, repeatable audit experience that will become the norm in 2025 and beyond. 

To ensure your organization’s internal audit function is driving value creation in 2025, contact CrossCountry Consulting

Connect with an expert

Cameron Over

Cyber and Privacy Lead

See Bio