GUEST BLOG POST
Let me start with a real-life story.
When I worked at Solectron, the former CFO, Kiran Patel, held an all-finance meeting in one of our manufacturing plants in Milpitas, California. At the end of the meeting, a lady who had been with the company for many years approached him. She asked whether Kiran found the report she sent him every month useful. He didn’t understand. He couldn’t think of a report he got from her every month. So, he asked her what it was about and where she sent it.
The answer was astonishing. It was a report on a part of the business that was dormant, and she was sending it to the email address of a former CFO. The business had moved on. She had not.
That is the danger for internal audit.
Technology, including AI and robotics, is in the process of reshaping the world—and that includes our world: the one in which we live and work. In the same way that business and its processes are evolving, internal audit and internal auditors needs to evolve in line with the business.
I am not talking about internal audit learning to use AI. No. We should do that, but first we need to know why we are even here. We exist to provide assurance on managements’ processes and controls. Those processes and controls are in the early stages (some are more advanced than others) of a radical evolution. Experts have said that the AI-fueled revolution is going to bring more radical change than the Industrial Revolution!
Will our tried-and-true methods and approaches, even with the assistance of our own AI, meet the needs for assurance on AI and robotic processes and controls? Think not only of finance, but manufacturing, sales, customer support, security, systems development and maintenance, and more.
I don’t know. I doubt it.
We need to know what we will have to provide assurance on first. Some are already saying that we need to embrace AI. Fine. That’s part of the answer. A small answer.
But I am reminded of the man who checked all the reviews and bought the best hammer in the world. Then he looked for the nails to use it on, but all he found were screws. The moral is: should we put a lot of energy and resources into building AI-enabled internal audit platforms and tools that are designed for today when tomorrow and the day after will be radically different?
We need a plan that will evolve as our company evolves. If the company has a clear road map that can be relied upon, get and study it. That’s a great start. But I expect that at most companies vision is limited and blurry.
We must start thinking now about what will be needed from us in each stage of the company’s evolution. Do it today, do not wait for tomorrow.
We are already seeing companies letting many people go. While they say it’s because their work is being replaced by AI, some experts say it’s because they are spending so much money on AI development that they have to slash other costs, and that means people. When people leave, risks may emerge and controls disappear or fail to be performed. New controls will be needed,
So what change is needed from internal audit now, next month, next year, and thereafter? The greatest risks are where there is change. So, what has changed over the last year, what is changing now in the business, and what is about to change?
What Is Changing Now?
Here are some questions to ask:
What has management changed? What are they about to change?
What is management’s roadmap? Who will be replaced by what?
Find out. Which controls will be affected by the loss of personnel? How are the risks they cover being addressed?
What are the new or changed risks of today, and what about tomorrow and the day after?
Are their objectives smart?
Have they done enough to identify and address the risks?
We need to be involved. Don’t stand on the sidelines so you can bayonet the wounded after new technologies and processes fail.
Does the board have all the information they need?
Do we have the resources to help management do all of this right? If not, change now and don’t wait until it’s too late and all the AI-savvy people have been hired by somebody else.
For example, do you have the ability to audit how robots are picking and shipping products to fulfill sales? Do you have the skills on your team to assess the controls over an AI that that will perform journal entries? How about the related ITGC when the AI’s code is written and tested by another AI?
What Needs to Happen Next?
Monitor progress. Step in to help when there are problems. You may not be able to personally fix problems, but you can help management understand them and take the best actions.
Monitor change, preferably before it happens. Be at the table when management is talking about what they plan to do next, what they plan for 2027 and beyond.
Continue to audit proactively.
Don’t forget to perform traditional audits when the risk and value justify them. Don’t audit processes that are about to be totally replaced where your assessments and ideas for improvement will be meaningless.
What Is the Future Vision?
Learn continuously what you will need to audit and how you will need to audit.
Once you know whether it’s a nail, a screw, a laser beam, or a circuit diagram in a robot, redesign your internal audit team and tools to work on them.
At least for a while, the best tool we have and will need is between our ears.
OBSERVE
LISTEN
THINK
LISTEN SOME MORE
SHARE YOUR INSIGHTS WITH MANAGEMENT
Help them and the company succeed. The possibility of failure is very high.
I welcome your thoughts. Please share them in the comment section below. 
Norman Marks is an internal audit and risk management expert and author of the blog, “Norman Marks on Governance, Risk Management, and Audit.” He is also the author of several books, including World Class Risk Management, Risk Management in Plain English: A Guide for Executives, and Auditing that Matters.