Internal audit future trends

Emerging trends and high-impact areas of focus

In any organization, there are many areas where internal audit’s perspective and skills can provide valuable insights. In the coming year, where can internal audit have the most positive impact and influence?

The year ahead

This edition of our internal audit insights series identifies 11 areas of high impact for internal audit in the year ahead. It also explains why these areas are important to stakeholders and how internal audit might approach the area in upcoming audit plans.

Back to top

Strategic planning

In strategic planning, management lays the foundation for the success or failure of the organization going forward. Internal audit should review all key components of the strategic planning process: parties involved, data and intelligence, models, assumptions, scenarios, approvals, and communication and use of the plan.

Potentially high-impact components include management’s key assumptions and sources of data, such as those related to market share and growth, sales forecasts, interest rates, input costs, product pricing, funding sources, and regulatory activities. Internal audit should also review the governance over related models and can provide recommendations to strengthen the strategic planning process.

Back to top


Third-party management

Internal audit should ideally begin with an assessment of management’s process for managing third-party relationships and risks across the relationship lifecycle.

Reviews of third parties offer potentially high returns in cost savings and cash recovery, which go directly to the bottom line (in contrast to compliance). However, internal audit may need specialized skills to assess certain relationships, such as those in advertising, cyber, or capital projects.

Back to top

galaxy over mountains


Analytics can boost efficiency and effectiveness in a range of internal audit activities. Dynamic audit planning enables internal audit to plan based on evolving risks rather than on those of the past. Analytics also enables internal audit to provide insight and foresight regarding risks and issues of interest to stakeholders, as well as insight-driven dynamic reporting.

Perfect data doesn’t exist. But analytics has been embraced and embedded even in situations where internal audit departments view their organization’s data as suboptimal.

Back to top


Integrated risk assurance

In audit planning, integrated risk assurance can generate more meaningful information and insights for stakeholders. In audit execution, it can improve coordination among the first and second lines of defense and allocation of audit and risk management resources.

Internal audit’s position as the third line of defense positions the function to develop and deliver integrated risk assurance. This means that audit plans should start with the business strategy, goals, and means of achieving them—and the associated risks.

Back to top

pink galaxy


As the ubiquity of cyber has become clear over the past year or so, boards have decided that incident and security reports from the CIO or CISO aren’t enough. They want internal audit’s independent, objective, comprehensive review of cyber risks.

Internal audit needs to define a cyber auditing approach that meets the needs of the organization, industry, and stakeholders, including regulators, third-party partners, and external auditors. The audit plan should prioritize the processes and capabilities to be audited and define the methods and frequencies of related audits.

Back to top

Newcastle statue


Broadly, digitalization converts currencies, transactions, services, products, experiences, and relationships into virtual forms. Virtual forms are potentially more flexible, far-ranging, and profitable—and more challenging to audit.

At a minimum, internal audit should gauge the impact of internal or external digitalization and its business and functions. Internal audit should also understand how digitalization fits management’s strategic vision and plans, conduct appropriate risk analyses and rankings, and define audit procedures to identify risk exposures and review management’s steps to address them.

Back to top

night sky

Risk culture

Regulators and boards are focusing on risk culture because it largely determines decisions, conduct, and risk taking within an organization. And gauging risk culture within an organization is becoming more critical across all industries.

Internal audit can audit risk culture within standard operational and financial audits by adding interview questions, gathering data, and developing an informal review. Since risk culture can vary across organizational areas, the results of risk culture reviews should be considered individually and in aggregate.

Back to top


Strategic and emerging risks

With its enterprise-wide view and responsibility for providing risk assurance, internal audit has much to offer in the areas of strategic and emerging risks. Audit committees want assurance that the businesses and risk management are able to detect strategic and emerging threats posed by competitors’ moves, nascent technology, changing marketplace trends, and regulatory developments.

Existing efforts to monitor competitors, social media, and customer sentiment are often siloed, limited, or both. Instead, organizations need frameworks and formal, integrated, well-supported processes. Internal audit should review the framework, processes, and mechanisms for identifying, assessing, and managing strategic and emerging risks.

Back to top


Sustainability assurance

Regulators, institutional investors, nongovernmental organizations, and the media are increasingly seeking disclosure on sustainability risks that could materially affect the organization and its performance.

Internal audit should cover at least one area of sustainability per year, such as employee or contractor health and safety, carbon emissions, operations management systems, or community engagement, selected in light of the materiality of the issue.

Back to top


Media audits

Recent changes in the advertising landscape have led to agency transparency and advertising performance concerns. Some concerns include agencies not passing discounts and rebates through to the advertiser and digital ads being viewed by robots rather than humans.

As for all vendors, internal audit should review the process for selecting, managing, and monitoring the organization’s advertising agencies, especially when advertising is a large part of overall expenses. However, the current advertising landscape presents complexities that often make this area challenging for internal audit groups without specialized expertise.

Back to top


New reporting methods

Driven by stakeholder demand, internal audit is adopting new models of reporting that simplify the user experience while generating data-driven insights. The resulting reports are more forward-looking and insightful, briefer and more layered, and more visual and dynamic.

The larger and more complex the organization, the faster internal audit needs to adopt these new ways of reporting. Even without advanced analytics, internal audit can still use heat maps, bubble charts, and infographics to convey findings and insights.

Back to top

lightning storm

Download our full report to learn more about emerging trends in internal audit.

Did you find this useful?