In the digital era, internal audit’s role in risk management, cybersecurity and governance has significantly evolved. Internal audits are now not only compliance instruments but also key components of governance structures that align strategy with risk objectives. This evolution reflects the expanding role of internal audit in setting and implementing risk management approaches, developing resilience and strengthening oversight within organisations.
The 2025 North American Pulse of Internal Audit report, published by the Institute of Internal Audit Foundation, validates this evolution. The report notes that internal audit functions are no longer confined to compliance and financial controls; they are now expanding into strategic risk advisory, governance optimisation and proactive cyber resilience.
Cybersecurity assurance requires auditors who are digitally enabled and cyber literate
Cyber challenges
According to a recent Deloitte report, cyber events are now among the top three issues for boards and audit committees globally. The stakes have never been higher, and ransomware attacks, third-party weaknesses and data breaches pose existential risks to organisations.
In the US, recent Securities and Exchange Commission regulations, including mandatory disclosures of material cyber events and board-level cyber risk management, underscore the internal audit function’s role in this space. In many organisations, auditors are now tasked with:
- evaluating cybersecurity controls’ design and operating effectiveness
- maturity of incident response plans
- auditing cyber insurance coverage, vendor risk and business continuity planning
- benchmarking the cybersecurity stance of the organisation against frameworks like NIST, ISO 27001 and CIS Controls.
Effective cybersecurity assurance requires auditors who are digitally enabled and cyber literate. Audit functions are already recruiting more IT professionals to stay abreast of digitalisation. Yet the supply of such talent is in limited supply.
Driving digitalisation in microfinance
Having led internal audit in Asia and Africa for a multinational microfinance institution, I have witnessed firsthand how internal audit can act as both a catalyst and a bulwark in digital transformation:
- Core banking integration. I was closely involved in the oversight of a group-wide initiative to computerise microfinance operations by introducing a core banking solution. Internal audit played a key role in evaluating system readiness, identifying data migration risks and advising management on control frameworks to ensure a seamless transition.
- Implementation of audit software. After witnessing the ineffectiveness of the manual audit process, I encouraged the utilisation of electronic audit software in a number of regions. This not only introduced transparency but also allowed real-time monitoring of audit issues, significantly reducing overdue findings and enhancing accountability in 14 nations.
- Fintech-driven loan disbursement. Internal audit also spearheaded the shift from manual loan disbursements to fintech platforms, enabling faster and more secure financial inclusion. Through audits of IT controls, data privacy safeguards and fraud controls, we assisted in ensuring that innovation was matched by good governance.
These experiences illustrate how internal audit can look beyond compliance, actively enabling strategic initiatives while providing assurance that risks are well managed.
Elevating audit’s influence
As cyber and operational risks intersect with governance, audit committees are calling on internal auditors to provide more than just findings; they need insight, foresight and direction for action. Modern governance frameworks require audit functions to:
- sync up with enterprise risk management (ERM) processes
- take a seat in strategic planning discussions
- enable board reporting on environmental, social and governance (ESG), cyber and ethics programmes
- ensure the tone at the top is replicated in strong controls across all levels.
Internal audit also assists governance functions proactively through the continuous monitoring of IT controls, coordination with information security teams and informing oversight strategies. The internal audit and information security synergy have become essential to protect organisational resilience against emerging cyber threats.
High-performing audit functions also maximise their influence by maintaining direct and unrestricted access to the board or audit committee chair, guaranteeing independence while providing strategic context to audit work.
From reactive to proactive
The evolving environment means that internal audit must transition from a reactive, transactional role to an anticipatory, strategy-aligned function. Strategic alignment suggests:
- auditing not just risks, but also how well the organisation is realising its strategic objectives
- advising on digital transformation risk, M&A and sustainability programmes
- participating in the shaping of emerging risk frameworks, especially for intangible risks like reputation, culture and innovation.
This evolution also reflects a broader move to analytical and integrative approaches. Internal audit operations incorporated in ERM enhance not only oversight but also organisational effectiveness. The incorporation of digital technologies into audit activities has also taken transparency and efficiency to a new level, with a direct contribution to better governance outcomes.
Audit leaders must battle for sufficient resources to build capacity in cybersecurity, ESG, artificial intelligence and analytics. This means looking beyond the old models that are simply a function of the number of audits conducted, instead prioritising impact, quality of insights and stakeholder value.
Audit teams today require hybrid skills, including cybersecurity and IT governance; data analytics and visualisation; sustainability and climate risk awareness; and strategic risk management and scenario planning. Teams are recruited from non-traditional professional backgrounds such as data science, behavioural science, and digital risk, as well as conventional accounting and finance expertise.
With risk profiles evolving at a rapid rate, internal audits must adopt agile methodologies, adaptive planning and continuous risk sensing. Training programmes need to concentrate on not just technical proficiency, but also digital literacy, agility and problem-solving collaboration.
Looking ahead
As cyber threats intensify and public expectations increase, internal audit will be at the centre of defending institutional trust. By aligning governance reviews to digital risk oversight and to informing the enterprise’s strategic direction, internal audit is the key enabler of sustainable performance.
Strategic realignment in action
In a multilateral microfinance bank, the internal audit team recently re-engineered its yearly plan to align with corporate strategy. This included:
- launching a cyber resilience audit programme for rural mobile platforms
- integrating climate risk examinations in branch operations audits
- offering advice on data governance frameworks in a core banking system upgrade
- participating in executive steering committees on digital expansion.
The result? Audit was no longer viewed as a compliance watchdog but as a transformation partner, working to both address risk and advance strategic execution.
To reach that point, audit professionals must embrace a new mindset: one based on agility, insight, collaboration and innovation.
The convergence of governance, cyber risk and strategic alignment is not some hypothetical endpoint; it is internal audit’s ‘new normal’. Internal audit is being expected by stakeholders and boards to not only monitor and assure, but to advise, anticipate and lead.
For ACCA members, this is a unique opportunity to put internal audit at the heart of enterprise value creation, where purpose meets governance, opportunity meets risk and strategy meets assurance.
