On the Frontlines: The End of Risk-based Auditing?

However, with the increasing adoption of agile methodologies, artificial intelligence (AI), and advanced data analytics, the relevance and effectiveness of traditional risk-based internal audits are being called into question. As businesses operate in a more complex, geographically dispersed, and highly regulated environment, traditional risk assessments — conducted annually or semi-annually — may no longer suffice.

The IIA has emphasized the need for transformation, warning, in the recent Internal Audit: Vision 2035 report, that failure to evolve could render the profession irrelevant by 2035.

Given these challenges, the question arises: Is the traditional audit approach becoming obsolete? Are we, as internal auditors, relying too much on retrospective risk assessments, akin to driving while looking in the rearview mirror?

As businesses increasingly rely on technology, such as robotic process automation that can executing millions of transactions concurrently, using continuous auditing techniques is becoming a mandate. This is true regardless of the technique and tools you select in accordance with your operations or the specific assignment.

Continuous audit techniques will become heavily dependent on predictive analytics and automated anomaly detection. For instance, AI-driven analytics enable continuous tracking of transactions and behaviors, allowing auditors to detect anomalies in real time. The same technology allows auditors to assess entire populations of transactions rather than relying on limited samples, improving audit coverage and accuracy. AI can also automate compliance monitoring across different jurisdictions, ensuring adherence to complex regulatory requirements. Meanwhile, machine learning models can analyze historical and real-time data to predict emerging risks while making sure of involving diverse teams, including IT, compliance, and operations, in a continuous risk assessment framework.

To address the shortcomings of traditional risk-based internal audit, internal auditors must adopt a more agile and real-time approach to risk management. This involves moving from static, annual risk assessments to continuous, data-driven risk evaluation. To do this, auditors can integrate risk assessment into daily business operations, rather than conducting periodic reviews.

Internal audit leaders must embrace AI, blockchain, and advanced analytics to enhance risk assessment capabilities. They must train their audit teams and develop expertise in data science, cybersecurity, and AI governance to stay relevant. The move toward continuous auditing frameworks that provide real-time assurance is becoming a critical step.

At all levels and types and sizes of internal audit functions, we must communicate risks and insights in a proactive, dynamic manner, aligning with business strategy so that we can finally stop driving while looking in the rearview mirror.