Reimagining what audit can be

From flashlight to lighthouse.

The title and the goal of internal audit haven’t changed. The work itself has changed enough to be almost unrecognizable, and the shift is bigger than the productivity gains make it look.

For most of its history, internal audit was a backwards-looking discipline. Teams planned projects for weeks, went into a part of the company, picked data sources and samples manually, ticked and tied, and came out with insights on processes and data that were often more than a year old. When the methodology was designed, it was best-in-class. Data was sparse, analysis was slow, sampling was the only honest way to say anything about a population you could not fully see.

Now that feels like an anachronism.

Data that used to sit in disconnected puddles now sits in lakes, and increasingly in oceans of connected sources, and the analytical capability has caught up. What we do with that capability is the open question.

Audit used to be a cheap flashlight. You pointed it at a corner of the company, saw what you stubbed your toe on, and wrote up the hazard. The beam did not reach far; no matter how good you were, you could not see what was around the next bend, or what was forming in the dark further out.

What we have now is a lighthouse. A strong beam sweeping across a wide landscape, showing the company the rocks it needs to navigate around before it hits them. Doing that well requires a different function than the one audit used to be.

Three things have had to shift for the lighthouse to work.

The time horizon. Audit used to be rearward-looking by design. The capability now lets us look in real time, and increasingly, proactively. We run assurance audits on data as it is being generated, see emerging issues as they form, and start to see, from patterns in the current data, what is likely to become an issue in the future. None of that was possible in a sampling-based model at any budget.

The architecture of the function. What used to be three separate teams is converging into an integrated view of risk: internal audit, enterprise risk management, and investigations. The teams still have different mandates. Third-line independence, where we are relied on for a view uncolored by management’s preferences, has to be preserved; that line is structural. But everything we do is fundamentally about risk, and the signals one team surfaces are often most valuable when read against what the other teams are seeing. Without that integration, audit conversations can be painfully precise and still not useful. It is like describing a single tree: the genus, the bark, the markings on the leaves. You leave the meeting and realize nobody knows how many trees are in the forest, where the forest sits on the map, or whether the issue is isolated or systemic. The work is to build the mechanisms that let those signals meet.

That has also forced us to sharpen the language for what we do. Traditional assurance audits are backward-looking, third line, independent. We now also run advisory audits: forward-looking, real-time, still third line, still independent. Separately, we do consulting work, which is second line; we partner with management on how they might approach risk mitigation in an area that is new to them. Three different products from the same team, all feeding a common view of where the company’s risk actually sits.

The capability stack. Productivity gains are the starter level: hours saved, reports generated faster, drafts produced in minutes. Useful work, the part that gets the headlines, and the smallest of the changes AI makes possible.

The second capability is insight. When you can reach across the whole data set instead of a sample, the work shifts from asking what went wrong in one set of transactions to asking what patterns are forming across the enterprise. That gives a senior leader something different to act on when they leave our meeting.

The third is genuinely new work. Things we could not do at all before, at any resourcing level. Risk intelligence is one example. We take data streams from across the company, assess them against known risk drivers, and surface whether there is something real that needs attention. None of that existed in our function five years ago.

Productivity, insight, new capability. An AI strategy that stops at productivity leaves the function recognizably the same, just with fewer people needed. The reimagining happens in the other two levels and delivers dramatically better value to the company.

Every function faces this choice. Audit, finance, marketing, legal, operations. What we build with the new tools decides whether the function stays relevant or becomes the anachronism.