Internal audit as board partner

Internal audit is being recast as a board adviser on future risks, not just a checker of past controls. The shift is embedded in the Institute of Internal Auditors’ Global Internal Audit Standards, which took effect on January 9, 2025. (theiia.org) The Institute of Internal Auditors released the standards on January 9, 2024 after a multiyear rewrite of its International Professional Practices Framework. The standards say all internal audit functions are expected to conform and organize the work across five domains, including “Governing the Internal Audit Function.” (theiia.org) That governance domain shifts the relationship with directors. It requires chief audit executives to work closely with the board to establish the function, preserve its independence, and oversee its performance, while senior management has defined responsibilities to support that structure. (theiia.org) The Institute of Internal Auditors said the rewrite was designed for a “complex and rapidly changing business environment” and would strengthen governance frameworks and add more specific guidance on areas such as cybersecurity. The same release said the standards are meant to enhance internal audit’s role as “an essential business partner” to boards and senior management. (theiia.org) That puts audit committees in a different posture in 2026. Instead of limiting internal audit to compliance testing and control reviews, boards are being pushed to use it for forward-looking risk work on artificial intelligence, cyber threats, and other fast-moving exposures. (theiia.org) Artificial intelligence is the clearest example of that change. PwC said in June 2025 that audit committees now need oversight of AI in financial reporting, internal control over financial reporting, risk management, compliance, cybersecurity, and internal audit’s own use of AI tools. (pwc.com) PwC also reported that 57% of directors said the full board has primary oversight of emerging technology like AI, while 17% said the audit committee has that responsibility. In companies where the audit committee takes the lead, PwC said members should focus on strategic opportunities as well as risks. (corpgov.law.harvard.edu) Sustainability reporting is widening the same lane. Guidance circulated in 2025 by the Global Accounting Alliance and the International Federation of Accountants said the audit committee or relevant board committee should understand and approve the company’s approach, risk assessment, and control framework for sustainability information and reporting. (globalaccountingalliance.com) That means internal audit is increasingly being asked to test whether nonfinancial reporting systems work with the same discipline expected in financial reporting. EY said internal audit teams preparing 2024 and 2025 plans should consider sustainability reporting, emerging regulation, and embedding environmental, social, and governance work into audit projects. (ey.com) Consulting firms are framing the AI side in similar terms. Deloitte said in November 2025 that internal audit can act as an “AI catalyst” by reviewing governance, risk management, and controls, and by embedding AI risks into audit planning before weak oversight hardens into a bigger problem. (deloitte.com) The net effect is a broader mandate for both sides of the table. Boards are being told to engage internal audit earlier and more directly, and internal auditors are being told to bring risk signals on strategy, technology, and reporting before those issues show up as failures. (theiia.org)