Internal audit future trends

Emerging trends and high-impact areas of focus

In any organization, there are many areas where internal audit’s perspective and skills can provide valuable insights. What are the trends for the coming year, and where can internal audit have the most positive impact and influence?

The year ahead

We have identified 13 focus areas that present opportunities for internal audit to make a positive impact. A focus on these areas, as they relate to your organization, will heighten internal audit’s impact and influence and satisfy stakeholders who desperately need internal audit’s objectivity, skills, and advice as they tackle new challenges.

Robotic process automation and cognitive intelligence

Robotic process automation (RPA) is the use of software to perform rules-based tasks in a virtual environment by mimicking user actions to obtain the same or enhanced results. Cognitive intelligence (CI)—a step beyond RPA—includes natural language processing and generation, artificial intelligence, and machine learning.

As functions adopt RPA, CI, and similar technologies, internal audit should support them in identifying, assessing, and monitoring the risks that come along with these technologies. Internal audit should consider using RPA to automate repetitive controls testing and internal reporting tasks.


Auditing digital risk

Internal audit plans should address the effects of RPA and CI on processes, management, and the organization. To provide sound assurance, internal audit should become involved early. In audit planning, use key risk themes to assess the risks of digital programs, processes, and products. And review the digital strategy and road map to decide where to focus, given the risk themes.

Digital poses the usual cyber risks, plus new strategic, reputational, and third-party risks—in a fast-paced environment. Internal audit should aim to understand the tools used to automate processes and controls and then assess the integrity of those tools.



In recent years, cybersecurity audits have often focused on regulatory compliance—areas such as data privacy, information technology (IT) security, and business continuity. Companies should continue to focus on assurance while understanding that compliance with existing regulations hardly guarantees high, or even adequate, cyber risk management.

Internal auditors accustomed to providing compliance-related assurance need new mind-sets and methods—start by thinking broadly. Then challenge management on risk identification, monitoring, and management in those areas.


Internal audit analytics

Beyond-the-basics analytics is the single most powerful booster of internal audit efficiency and effectiveness available. Yet internal audit’s adoption of analytics has been relatively uneven and slow.

Analytics should be integral to all of internal audit’s planning, execution, and reporting, and it should be reflected in methods and skills accordingly. Set your sights on “Digital IA,” an integrated set of analytical capabilities geared to using and auditing advanced technologies.

magnifying glass

Third-party risk

Business leaders want—and need—a more holistic picture of third-party risks and their management. This calls for internal audit to understand the organization’s entire approach to third-party relationships.

When planning your internal audits, start with an assessment of third-party contracts on the basis of spend and risk. For vendor spend assurance, promote adoption of automated tools for analyzing spend and vendor performance. An overall extended enterprise risk management framework can help uncover key areas of risk, specifically those that are embedded within the third-party ecosystem.


Culture risk

An organization’s culture plays a major role in business performance and marketplace reputation. As the third line of defense, internal audit plays a vital role in culture risk management.

Internal audit should engage in broader organizational-level culture risk management efforts— providing assurance and advice on culture as appropriate and validating risk management activities. A culture risk assessment can provide insight into intangible drivers of risk, controls effectiveness, compliance failures, and potential misconduct. It can also direct audit fieldwork and analysis to where it matters most.

heart rate

Crisis management

A crisis management plan provides a framework and contingency plans for senior executives should the need arise. Responsibility for crisis management sits with senior leaders, which means that internal audit is the logical—and perhaps only—source of assurance and advice.

An organization needs a crisis management program encompassing governance, process, and risks. Go beyond regulatory guidance and checklists. Audit not just the existence of plans, but their likely effectiveness. Also consider industry-specific issues and evolving regulations.


Agile Internal Auditing

Principles and practices of agile development are being applied to audits and projects by forward-thinking internal audit groups. Agile methods foster rapid response to emerging issues, closer collaboration with stakeholders, faster delivery cycles, and streamlined reporting. Agile has the power to revolutionize internal audit by making audits and reviews more relevant, risk based, and real time.

Good candidates for Agile Internal Auditing are areas with a need for more responsive and relevant reporting, high-stakes projects like IT installations or merger integrations, and where internal audit groups need to do more with less. Learn about Agile Internal Audit.

Download our full report to learn more about these emerging trends and others, including:

  • Auditing agile
  • Automated core assurance
  • Cloud migration
  • Data privacy
  • Operational risk assurance

For additional considerations, view the 2017 report.
Did you find this useful?