It’s 2025! 5 Internal Audit Resolutions for the New Year

I’ve long embraced the start of each new year as an opportunity to share timely, relevant, and actionable New Year’s resolutions for the internal audit profession. For 2025, I took inspiration — and marching orders — from my November 2024 survey of CAEs on the strategic risks facing the profession. While the past three years’ survey results had been remarkably consistent, CAEs today are reckoning with a transformed risk landscape and a heightened awareness of what’s at stake for internal audit. 

First off, internal auditors continue to face significant challenges in transforming their work, roles, and mindsets: An inability to leverage AI to drive greater internal audit efficiency and productivity was the new #1 risk, lack of IT expertise was #3, lack of coordination across the three lines debuted at #5, and an inability to transition from value protection to value creation debuted at #6. Second, internal auditors continue to struggle to address key risks: An inability to attract and retain talent ranked #2, an inability to address emerging risks #4, and an inability to address critical risks #7. Further, CAEs ranked some critical risks surprisingly low, including the inability to comply with The Institute of Internal Auditors’ (IIA’s) new Global Internal Audit Standards (Standards) and a de-emphasis of regulatory requirements impacting resources.  

This is an unsustainable state of affairs, to say the least. It’s time to get to work. Accordingly, my resolutions for 2025 challenge internal auditors to set an intentional path toward continually improving the quality, value, and impact of their work in these areas. Our success depends on taking small steps that grow into longer distances. As J.R.R. Tolkien is quoted as saying, “Little by little, one travels far.”

1. Finalize and Ensure Ongoing IIA Standards Conformance

The IIA’s new Standards, which require conformance by January 9, 2025, aim to help internal audit teams engineer a strong start to the year. Unfortunately, many teams won’t be ready: 35% of AuditBoard’s 2025 Focus on the Future survey respondents expect to miss the deadline. Missing the deadline, however, doesn’t mean giving up on conforming. Teams who won’t be ready January 9 should urgently prioritize conformance, and teams at any stage should prioritize ongoing conformance. 

The Standards themselves set the course; see Principle 12. CAEs must establish an internal assessment methodology that includes ongoing monitoring of conformance and progress toward performance objectives, periodic self-assessments evaluating conformance, and communication of internal assessment results to the board and senior management. External quality assessments must document and include internal assessments in their evaluation. CAEs must also develop action plans and timelines for addressing nonconformance and opportunities for improvement. 

Once you’ve implemented the Standards, make compliance monitoring a priority for 2025. Conformance will be a moving target as The IIA issues Topical Requirements that become mandatory for audit engagements including covered topics. The final Cybersecurity Topical Requirement is expected Q1 2025, marking a vital opportunity for internal audit to collaborate with InfoSec to improve cybersecurity risk assessments, advance the controls environment, and construct a robust technology strategy.  

2. Improve and Leverage AI Literacy

The top strategic risk facing the profession in the next five years relates to internal audit’s ability to leverage AI to drive efficiency and effectiveness. With that backdrop, while the 2025 Focus on the Future included several alarming findings, its AI-related insights were perhaps the most disturbing. Just under half of CAEs report having a clear understanding of the major uses of AI in their organizations. At the same time, AI is not high on many CAEs’ radar, with “organization’s use of AI” ranking lowest of the survey’s 14 options. Further, internal auditors’ use of AI in their own work is severely lagging, just as overall AI adoption continues outpacing risk management and governance.

Make no mistake: AI will transform our world. But these results suggest that the majority of internal auditors don’t have a good understanding of AI’s uses or risks, are underestimating its impact, and are falling behind in learning about and using it, creating both short- and long-term risks for internal audit. To assess AI risk, use, and governance with real credibility, we must first understand it. We can’t be successful if we don’t take urgent, meaningful action to learn about and implement AI.

3. Amplify Audit Committee Communications to Ensure Transparency

Audit committees often find that they’re not being deceived with inaccurate information, but rather with incomplete information, when management chooses to downplay or withhold certain information. Real-world examples from CAEs include whistleblower complaints, negative employee survey results, potential litigation risks, control deficiencies, emerging risks, vendor issues, and more. 

Disagreements between internal audit and management are not uncommon in the audit resolution process, but internal auditors must nevertheless ensure that audit committee communications do not omit critical information. I recently shared strategies for ensuring constructive dialogue, navigating pushback, and escalating disagreements in such situations. Our credibility requires standing firm and responding with dignity and integrity. The reality is that internal audit is the audit committee’s last best hope to ensure that it’s fully and timely informed of everything it needs to know. Permacrisis will likely persist in 2025; make sure audit committee communications provide the transparency needed for informed decisions. 

4. Articulate Internal Audit’s Value in the Face of a Changing Compliance Landscape

Only time will reveal what the future holds, but we have to believe what the incoming Trump administration is espousing in terms of priorities. There will likely be a deemphasis on regulatory compliance and outright rollbacks. As a result, questions about compliance and internal audit spending are likely, given the assumption that fewer regulations may necessitate fewer resources. 

Just because a compliance requirement goes away doesn’t mean the underlying risks go away. Accordingly, as regulations are scaled back, internal audit should articulate why this doesn’t offer a license for reducing resources, but rather an opportunity to recalibrate their focus.

In some ways, compliance requirements create an artificial level of risk, because the risk becomes not “checking the box.” This focus sometimes prevents internal audit and compliance resources from addressing related risks that are equally important. As your organization strives to understand and address the likely impacts of a second Trump administration, don’t let leadership reduce resources without thoughtful consideration of which risks aren’t being addressed. Instead, embrace 2025 as an opportunity to free up resources from unnecessary diversions and improve internal audit’s ability to help organizations protect and create value.

5. Enhance Connected Risk

The risk-induced disruption and permacrisis that have characterized the first half of the 2020s have rendered traditional risk management approaches obsolete. My new book, Connected Risk: Conquering the Perilous Risk Exposure Gap, is no less than a call to action to transform risk management for the modern age. After all, organizations exist not simply to protect the value they already have, but also to enhance, create, and realize value for stakeholders. To improve resilience and enable better risk-informed decisions, risk and assurance teams must be willing to connect across the three lines. This is the essence of connected risk, a modern, cross-functional approach to managing enterprise-wide risk.

Although many organizations have begun embracing the concept of connected risk, plenty are in the early stages. The book outlines four stages of connected risk maturity to help organizations understand their current state and key opportunities.

• Stage 1: Communication — Audit, risk, compliance, and InfoSec teams periodically communicate the results of their work, but there’s no real coordination, collaboration, or connection. Processes, technologies, and data are siloed, often resulting in duplicative requests, coverage gaps, and lack of alignment.
• Stage 2: Coordination — Teams deliberately seek opportunities to coordinate processes and communicate more frequently. While they are sharing more data, misaligned results, coverage gaps, and inconsistent risk ratings remain common.
• Stage 3: Collaboration — Teams proactively collaborate to share resources and knowledge, coordinate activities, and rely on a unified taxonomy. They are working toward connecting processes and sharing controls and data, improving alignment. But technologies are disjointed, and risk insights are still more reactive than proactive. 
• Stage 4: Connection — Purpose-built technology ties together teams, processes, and data in a connected ecosystem that optimizes communication, coordination, and collaboration. A unified data core provides a comprehensive view of risk and single source of truth that supports continuous monitoring and AI-enabled analytics, enhancing risk detection, issue resolution, assurance, alignment, and risk-based decision making.

In 2025, resolve to assess where your organization is on the connected risk maturity curve and set a goal for moving forward. AuditBoard’s Connected Risk Report offers insights, guidance, and benchmarking to help organizations move along the path.

As my 2024 survey results clearly demonstrated, the internal audit profession is facing as much strategic risk as it ever has. Our priorities must align with these risks, and the first of the year is an excellent time to recalibrate. The 2025 Focus on the Future report closes with a “future-focused checklist for 2025 and beyond” outlining vital opportunities such as cultivating a strategic internal audit culture, embracing AI, focusing on insight and foresight, and abandoning silos in favor of connected risk. The path is clear. Time to get moving.