Must-Know Trends for Insurance Auditors in 2025

As tighter regulatory oversight, climate change and environmental risks, cybersecurity and data protection, and other critical and emerging risks continue to shape the insurance industry, greater collaboration will be essential to understand the full scope of risk and compliance needs across the enterprise. 

We spoke with audit leaders at insurance companies and experts at Big 4 audit firms to uncover the top trends they anticipate will impact internal auditors in insurance as they navigate a rapidly evolving risk landscape in 2025.

See what’s on their radar, then download a copy of 2025 Audit Trends in Insurance to learn about the successful strategies internal audit teams are using to enhance collaboration and meet new challenges.

Trend 1: Connected risk can be achieved in different ways

While the approach AuditBoard calls “connected risk” goes by many different names and definitions, a common thread is enabling the three lines to efficiently and effectively work together, thus empowering leaders to make better decisions. From our conversations, we learned that in practice, there is no single, defined path to achieving connected risk; in fact, there are a number of actions organizations can take that lead them closer to achieving this desired state. 

Different paths lead to connected risk. 

One Global Controller and VP at a large insurance brokerage summed up their definition of connected risk as the linking of risks to controls that helps break down risk silos. One partner at a Big 4 firm noted that technology is the foundation for driving connected risk by bridging the risks the company cares most about to the activities of the three lines; specifically via a dashboard and heatmap. This partner also noted that connected risk’s strength lies in its focus on better data, which is achieved when the second and third lines work closely together and with the first line. A CAE and VP at a large mutual insurance company said they visualize connected risk as an ecosystem with an inner ring — the connected risk culture, set by executive leadership and the board; a second ring — the three lines, an extension of that risk management culture; and an outer ring — external auditors, regulating agencies, and regulators. 

Trend 2: The push for connected risk is coming from various places

A mix of both external and internal factors contributes to a stronger push for connected risk. External macro factors such as rapid technological transformation, widespread cybersecurity threats, and the risks associated with AI adoption emphasize the need for effective collaboration with key stakeholders, such as the CISO and ERM teams. 

Internally, the push for connected risk frequently comes from internal audit, ERM, the business, and the board. 

For one large insurance brokerage, the ERM team initiated connected risk efforts out of a desire to mature their risk register and provide more valuable risk insights to the board. ERM set out to tackle risk silos by initiating a mutual data exchange with their internal audit and SOX teams. By leveraging a connected risk solution, these groups successfully integrated previously siloed data — including SOX controls, audit data, and risks and controls defined by ERM — into one solution, which has enabled them to share data more strategically and efficiently moving forward. 

For one medical malpractice insurance company, connected risk started with internal audit. After their CAE attended the company’s strategic planning session, they identified an exciting opportunity to connect perspectives across the business, the board, and the audit, finance, and risk committees and align them with the organization’s strategic objectives. 

A partner at a Big 4 firm noted the incentive for connected risk can often be traced back to the board and the business. Oftentimes, board members are overwhelmed by the sheer volume of information — which is not always organized in a coherent manner — that they receive throughout the year from management and risk professionals. This has led to a push for clearer metrics and more comprehensive perspectives that account for all three lines of business. On the business stakeholders’ side, the push for connected risk comes from the frustration of being disrupted by audit and risk processes that are often more distracting than helpful. Audit fatigue can be exacerbated if the audit teams are looking at the wrong risks or if internal audit does not consult with the business afterward to provide actual value from the audit work performed. These issues have led to a push toward getting all three lines better connected around what is most important so that both internal audit and the business can derive the maximum value from audits. 

Trend 3: There are many ways to get started with connected risk 

Where an organization starts its connected risk journey should depend on its specific needs, strengths, and organizational structure. One entry point is to consider the relationships and needs of the team leading the connected risk charge in your business. 

There is no single “right” way to get started with connected risk. 

One partner at a Big 4 firm believes starting by looking at the business’s risk appetite can be productive because this is how the business communicates what is most important to them from a risk perspective up to the board level. Moreover, the business is a key starting point for connected risk because they have the closest perspective to the obstacles that will prevent them from achieving their goals, and are also incentivized because their compensation is tied to their performance. 

A Global Controller and VP at a large insurance brokerage believes partnering with the data analytics team is a great starting point because they have a wealth of knowledge and access to data across different functions. Sharing this data among connected risk stakeholders is foundational to creating better partnerships and collaboration. By partnering with data analytics, whoever is leading the connected risk charge can access important data more easily than by reaching out to different teams — and can even arrange for monthly reports on critical areas of the business to be delivered to them. 

One VP and CAE at a large mutual insurance company believes sharpening the value proposition of the team leading the connected risk charge — internal audit, at their organization — should be a top priority. Upskilling the team leading connected risk is a necessary first step so that they have credibility when performing advisory work and engaging with the business. Ensure this team is properly educated on the key elements of connected risk; for example, they should have a comprehensive understanding of the business’s risk taxonomy as well as the company’s strategy. The more well-versed this team is, the better equipped they will be to contextualize their connected risk efforts and derive insights into what is and isn’t working. 

A CAE and VP of a medical malpractice insurance company noted that in their experience, connecting with the chief governance officer (or equivalent role) was a great place to start because they carry influence with the board that helped support and propel their connected risk efforts. Additionally, connecting with someone at the senior leadership or strategic planning level can be helpful to bring the various connected risk stakeholders together. 

From strengthening AI governance to further coordinating assurance across the three lines, it’s clear that internal auditors at insurance institutions have a key role to play in optimizing risk management going forward. Get your copy of 2025 Audit Trends in Insurance today to read how audit teams can lead the way.