Site navigation

2025 Internal Audit Risks and Hot Topics

Article

April 30, 2025

Recent innovations and changes in technology have had resounding impacts on the risk landscape and competitive outlook for almost every industry. Internal audit leaders must adapt rapidly to address these emerging risks. Assurance services are pivotal to protecting organizations and ensuring long-term sustainability.

Implement the New Institute of Internal Auditors Standards

The Institute of Internal Auditors (IIA) published an updated version of its standards that went into effect as of January 9, 2025. The Standards guide the worldwide professional practice of internal auditing. They serve as a basis for evaluating the quality of the internal audit function and for driving the consistency and reliability of audit results internationally. It is strongly recommended to have a readiness plan for implementing the latest version of the Standards going into 2025.

Highlights and Key Requirements From the Latest IIA Standards

  • Internal Audit Mandate: The Board and management must clearly define the authority, roles and responsibilities of the internal audit function. This mandate must be formally evidenced and issued by the Board and management in an internal audit charter.
  • Increased Board and Management Involvement: Increased involvement by the Board and key leaders in the organization is a pervasive theme throughout the new Standards. This includes promoting proactive communication with internal audit and regular monitoring of performance to ensure the needs of the organization are supported effectively.
  • Strategic Plan and Performance Measurement: The new Standards call for formally defining key performance indicators (KPIs) for internal audit’s performance. They promote use of a balanced scorecard to regularly monitor and measure performance.
  • Quality Assessments: They require implementation of a quality assurance assessment and improvement program. This includes collecting internal and external assessments over conformance to the Standards, and progress towards performance objectives.
  • Topical Requirements: The IIA will also be releasing specific guidance over certain key topics, to be used when performing certain types of high-risk or high-impact engagements (i.e., cyber, third-party, business resiliency).

Key stakeholders, such as the audit committee, will expect the internal audit function to comply with the new IIA Standards. Below are additional considerations when adopting the Standards:

  • Have you updated your internal audit charter?
  • Have you considered the impacts on your internal audit methodology?
  • Have you discussed impacts with the Board and senior management?
  • Have you considered how the internal audit function can be tailored to fit better within the purpose and longer-term vision of your organization as a whole?

Mature the Internal Audit Function: ERM and Fraud Risk Considerations

As an organization’s internal audit function matures, implementing an Enterprise Risk Management (ERM) program can provide additional layers of protection in a proactive rather than reactive manner. Established ERM functions help organizations by looking forward, assessing emerging risks, and ensuring that risk mitigation strategies align with the overall strategic objectives and mission of the company. While the internal audit function provides independent assurance, ERM functions partner closely with senior management to actively monitor and mitigate key risks. They also help to prioritize and accept less significant risks, thereby reducing costs and bureaucracy.

A well-established ERM program strategically mitigates risks by:

  • Defining the organization’s risk appetite to facilitate targeted risk mitigation and monitoring
  • Integrating with operational teams and supporting strategic planning by leadership
  • Developing the ERM framework and related policies to be adopted by the operation
  • Driving risk mitigation strategies via risk avoidance, reduction, transfer or acceptance
  • Monitoring emerging risks and communicating with key stakeholders
  • Reporting on findings to senior management and the Board

Establishing an ERM function begins by building out the supporting program framework. It’s important to outline a methodology that considers the organization’s long-term strategic objectives, risk appetite, and considers the ideal governance structure, tracking and reporting tools to ensure that the program is successful.

If this seems daunting, feel free to reach out to one of our ERM professionals. Cherry Bekaert has a step-by-step framework for helping clients set up their initial programs and has extensive experience helping to uplift and mature organizations.

Fraud, Technology and Emerging Risk Considerations

It is critical for those responsible for developing the ERM framework to be knowledgeable about emerging technologies and risks and understand their potential impact on the organization. For instance, in the current macroeconomic environment, emerging risks include geopolitical tensions related to tariffs and the safety and stability of markets affected by ongoing wars or conflicts.

These risks can significantly influence exchange rates, interest rates and the stability of international trade routes. In turn, they also affect the decisions which organizations make about hedging interest rate risks, making capital expenditures, investing in research and development, retaining employees and much more. The ERM function, once established, becomes more than just a risk mitigation group, but is also an invaluable resource for leaders to lean on when making critical long-term decisions.

Understanding new technology is also crucial for enhancing response times, improving fraud detection efforts and automating error detection where possible. Some organizations are already leveraging technology to achieve near real-time fraud detection and deterrence. By combining audit software, data analytics and artificial intelligence (AI), organizations can identify patterns and detect anomalies before they appear in financial statements. Examples of areas that technology can monitor in real-time include:

  • Vendor Payments and Purchasing Cards (P-cards)
  • Employee Credit Card Transactions
  • Master Data Un-Authorized Changes and Error Monitoring

Enhance Audit Methodology and Procedures: Automation, Standardization and AI

Internal Audit Automation

Integrating and implementing internal audit software into an organization has become much more streamlined than in the past. Many software programs are cloud-based, off-the-shelf solutions that can be easily acquired and implemented. They can help organizations, large and small, to simplify and standardize their internal audit programs by:

  • Integrating AI tools for real-time research on audit standards and applicable regulations
  • Providing pre-established internal audit methodology, frameworks and templates
  • Centralizing data storage (i.e., risk libraries, integrated reporting tools, one-click archiving)
  • Built-in dashboards for project management and periodic reporting of program results
  • Automated workflows and notifications to facilitate communication with key stakeholders

In addition, there are opportunities to leverage tools that will fully or partially automate testing or monitor for errors in near-real time. For example, software offers the ability to:

  • Automate testing through scripts that can be scheduled to run automatically.
  • Send results to internal audit and/or business stakeholders.
  • Replicate any database or specified table to detect errors in near real time (i.e., unauthorized changes to vendor master file data, unauthorized pricing changes, unauthorized credit card transactions in violation of policies).
  • Run analytics and tests of details on full populations in minutes.

Effortless AI Integration

AI is a powerful tool that has been rapidly adopted to stay competitive and relevant. This technology is not out of reach for smaller organizations. There are simple ways in which AI can drive efficiencies immediately while keeping costs manageable.

One effective method to enhance productivity quickly and affordably is to adopt out-of-the-box AI tools for transcribing meeting notes and producing smart summaries. Cloud-based providers offer access to pre-built AI tools for a low monthly subscription fee.

Many of these solutions feature an AI assistant that can join virtual meetings, listen, take notes and create valuable meeting summaries. These summaries can include key points, areas of concern, follow-up items, next steps and more. Such tools can replace manual meeting minutes, saving time by eliminating the need for manual notetaking.

However, it is important to understand that your meeting notes will be stored on a cloud-based server owned and maintained by the software provider. Therefore, there are important pros, cons and risk trade-offs to consider when selecting a new AI tool. Even when it’s an out-of-the box solution.

With the use of AI, it’s important that internal auditors consider the risks involved with adopting their own productivity tools. And it is important to consider how other groups across the organization may be using AI tools, and how much control the IT function truly has over the centralized oversight of such tools. 

Enhanced Cybersecurity Measures

Organizations need to understand the different ways cyber-attacks can occur, and the anticipated tactics, techniques and procedures (TTPs) used by threat actors to properly mitigate cyber risks. Below are a few examples:

  • Phishing and Social Engineering
  • Exploitation of Vulnerabilities
  • Ransomware and Double Extortion
  • Lateral Movement and Data Exfiltration
  • Insider Threats and Credential Theft
  • Distributed Denial-of-Service (DDoS) Attacks
  • Banking Malware and ATM Attacks

The internal audit function can perform cybersecurity assessments to ensure that all technology domains maintain a reasonable level of security. However, this requires specialized technical knowledge and expertise, which may not always be available in-house. To address this, some organizations hire part-time contractors for targeted cybersecurity audits, while others plan to hire one or two in-house staff members with IT/cybersecurity skills.

The following audit procedures can help provide enhanced cybersecurity risk coverage:

  • Cyber Policy, Procedure and Standards Reviews
  • Cybersecurity Program Risk and Gap Assessments
  • Technical Configuration Assessments and Remediation Plans
  • Technical Architecture Design Assessments to Enhance Resiliency and Security
  • Incident Response Program Testing and Post-Mortem Analysis (consideration of SEC cyber reporting requirements, if applicable)

Internal audit leaders should collaborate with management across the organization and work closely with the IT department to ensure sufficient coverage of cybersecurity threats within their audit program. Additionally, there should be measurable methods to evaluate the effectiveness of risk mitigation efforts.

Exploring Cost Reduction Strategies and Models for the Internal Audit Function

Organizations can adopt one of three models when establishing their internal audit function. Historically, the traditional in-house model was the only option, where a company would hire all the necessary staff to cover their entire audit program for the year, aiming to retain talent and knowledge within the organization. However, with the increasing technical expertise required to perform audits, it has become increasingly costly to hire all the experts needed to fulfill a robust audit plan. In some cases, various IT experts with unique specializations are required.

To reduce costs and ensure individuals have the right skills and competencies to provide risk coverage, additional models are being adopted.

In-House Internal Audit Model

The in-house internal audit model involves hiring all internal audit positions within the organization, including IT and cybersecurity specialists, SOX experts, and business or compliance subject matter experts (SMEs). This typically requires four to six full-time positions at varying skill levels. The primary advantage of this model is that it maintains continuity and knowledge within the organization. However, it can be costly to compete with market salaries and challenging to attract top talent.

Co-Source Model

The co-source model involves hiring key internal audit positions in-house, such as directors and VPs, typically requiring one to three full-time positions. This model maintains continuity and knowledge within the organization while leveraging contractors and specialists as needed to fulfill the audit plan. It can be cost-effective and expand the organization’s access to top talent and specialists on an as-needed basis.

Outsource Model

The outsource model fully outsources all internal audit responsibilities to an outside firm, which reports directly to executive leadership and the board or audit committee. This model can shield organizations from rising wages through long-term contracts and competitive bidding processes. However, there may be a loss of knowledge when changing firms.

The most effective structure for the internal audit function will depend on the needs, resource constraints and risk appetite of the organization. Management, the Board and the audit committee will need to consider each factor carefully, before choosing their ideal internal audit model.

Key Internal Audit Takeaways

In today's dynamic business environment, it is crucial for organizations to continuously evolve their internal audit functions to stay ahead of emerging risks and challenges. Implementing the latest Standards and leveraging advanced technologies can significantly enhance the effectiveness and efficiency of internal audits. The following key takeaways outline essential steps for modernizing your internal audit function to ensure it meets the rapidly changing needs of your business and the external market environment.

  • Implement the new IIA Standards, which came into effect January 9, 2025.
  • Mature the internal audit function to better support the rapidly changing needs of the business and the external market environment.
  • Enhance audit methodology, strategies and procedures by leveraging automation, standardization and AI.
  • Increase cyber security risk coverage to account for emerging threats.
  • Adopt cost-effective and efficient staffing models to fit your organization’s needs and budget.

Your Guide Forward

Cherry Bekaert’s Risk Advisory practice and Internal Audit Services are here to help you every step of the way. Our experienced risk and compliance professionals will customize solutions to meet your requirements and objectives — be it staffing, internal audit effectiveness, testing services or internal audit automation. If you are ready to start your internal audit journey, contact us today.

Connect With Us

Related Insights

Related Services

Contributors

Connect With Us

Scott Peyton headshot

Scott Peyton

Risk Advisory Leader

Partner, Cherry Bekaert Advisory LLC

Yani Diaz

Risk Advisory Services

Director, Cherry Bekaert Advisory LLC

Carole Sorensen headshot

Carole Sorensen

Risk & Accounting Advisory Services

Director, Cherry Bekaert Advisory LLC

Darius Barker

Risk Advisory

Sr. Associate, Cherry Bekaert Advisory LLP

Featured Insights

Risk & Accounting Advisory Podcast thumbnail

Top 3 Critical Skills for the IA Profession

Podcast

Two women at a desk looking at a laptop

The Model Audit Rule: Best Practices for Insurers

Article

Risk & Accounting Advisory Podcast thumbnail

The Evolving Role of Internal Audit: Unpacking IIA’s Vision 2035 Report

Podcast

Build America, Buy America Act: Basics & Frequently Asked Questions (FAQs)

Article

Full Insights Feed

Contact a Professional