Not long ago the Institute of Internal Auditors released its annual North America Pulse of Internal Audit report, polling nearly 400 chief audit executives on their challenges, plans, and hopes for the next few years.
If we’re being frank, the findings were a bit of a buzzkill.
For example, the number of audit leaders reporting cuts to their budgets or teams jumped sharply. Respondents at SOX-compliant businesses said they will spend much of their time on controls testing and assurance, rather than on value-added work like advising senior management on risk. Indeed, across all businesses, SOX-compliant or not, respondents said they still spend 75 percent of their time on assurance work rather than advising on risk.
We all know that’s not sustainable — or at best, it sustains internal audit as a marginal, “required to have” function rather than a vital, “want to have” function. Audit leaders need to change that paradigm somehow.
One possible way to change that paradigm is artificial intelligence. Specifically, if your audit team can embrace AI agents to automate SOX and other assurance work, that can free up time and manpower to focus on the more valuable (and interesting) risk management work that needs attention.
Sounds straightforward enough. So how can internal audit teams actually pull off that shift?
Where Audit Teams Are Today
Let’s first unpack the disconnect in that IIA report between what audit teams are doing and what they should be doing.
As we mentioned earlier, this year’s Pulse report found a sharp jump in the percentage of respondents reporting cuts to their budgets or teams. The good news is that a majority of respondents still say their budgets are holding steady, but across almost all industries (financial services is the one notable exception) more people are cutting budgets than increasing them.
If you look at things from management’s perspective, however, you can’t really blame them for being so tight-fisted. Economic growth is hard to find these days, and without growth there are fewer budget dollars to go round.
Meanwhile, audit teams spend most of their time on assurance work, and teams specifically at SOX-compliant businesses spend much of their time (41 percent) on financial reporting or regulatory compliance audits — but those aren’t the issues at the top of the board’s mind.
Go read any recent survey of board directors’ concerns. Inevitably, the top risks are economic growth, artificial intelligence, cybersecurity, supply chain stability, and so forth. No director will ever say financial reporting and compliance aren’t important, but when resources are scarce, directors will wonder, “Can’t the audit team just make do with a little less? We have more pressing issue to worry about.”
Simply put, too many audit teams are bogged down in the tedium of testing and the doldrums of documentation, rather than helping with the risk analysis that boards and senior management need.
Enter AI Agents, and a Pivot Point for Audit
This year we’ve seen a flood of claims that AI can solve at least half that problem, by unleashing AI agents to tackle all that documentation work.
For example, one internal audit chief talked on Reddit about how his team (and some AI consultants) built a series of agents to tackle evidence gathering, testing, review, and documentation; which automated 40 percent of his SOX controls and cut testing time 60 percent. Others have made similar claims on LinkedIn. Just about every GRC vendor on the planet has added AI agents into their product lineup, all working toward that same end of more automation.
Whether you build those AI agent capabilities yourself or buy them from a GRC vendor, those capabilities are here. They can (and eventually will) slash the time your staff spends on documentation, testing, and report-writing scutwork.
The question is what you, the audit leader, do next.
Certainly there will be pressure to cut costs. At the same time, however, your corporation will still have all those risks we mentioned earlier: cybersecurity, AI governance, supply chain stability, and more.
If you can’t lean into that opportunity of helping the business to manage those risks, then you will be pulled into that mission of cutting costs, rest assured.
Plan Now to Execute That Pivot
So how can internal audit leaders lay the groundwork for that pivot? One that embraces AI, alleviates your testing and assurance burdens, and positions your team to help the enterprise tackle its urgent risks? We can outline a few steps.
First, handle your AI-driven transformation of SOX compliance carefully. Yes, AI agents can alleviate documentation and testing; but they can also create more review work as you confirm that the results are valid. Continuous controls monitoring means more alerts that need attention.
Internal audit teams need to get this transformation right, both to reap the benefits of reduced burdens and to preserve your credibility with others. If you can’t manage your own function’s risks, why would the rest of the enterprise trust you with theirs?
Second, tie your audit plan to the company’s strategic objectives and business risks. This is how you deliver tangible value to the business: by helping it grow in a durable, risk-aware manner. Ask senior management what its most important goals are; ask First and Second Line business unit leaders what regulatory demands or operational mishaps would thwart those goals.
I suspect most audit leaders already know what your organization’s strategic goals and risks are; that you’re quietly muttering, “I’d love to tackle those issues, if we weren’t stuck doing documentation and testing!”
Exactly so. That’s why getting your own AI transformation right is the precursor to doing more valuable, strategic work. By harnessing AI (and other technologies) for your own team, you can escape those immediate, tactical quagmires to help with those long-term strategic needs.
And third, have a plan to align your human talent and technology capabilities. You’ll need team members who understand your organization’s industry and its risks; who can focus on more complicated work such as control design or investigations, and make better judgments about what makes sense for your business to manage risk. AI and other technologies will help with that, but those things will never eclipse good human judgment.
If you can execute on all three steps above, you can make that pivot toward a more valuable, versatile audit function. Start now.
#SOXPro
#AI
#ProcessImprovement
#InternalAudit
#SOX