Top headlines that defined 2025 for internal auditors

I’ve long embraced year-end as an opportunity to look back at the most significant events impacting internal audit. The year 2025 delivered no shortage of headlines illustrating the profession’s profound challenges and urgent opportunities.

1. Legislators propose abolishing the PCAOB and revisiting SOX

Amid the Trump administration’s aggressive deregulatory push, efforts to eliminate the Public Company Accounting Oversight Board (PCAOB) and Sarbanes-Oxley (SOX) framework held the greatest potential impact for governance, risk, and compliance (GRC) teams. These moves could shake the very foundations upon which modern financial reporting is built — and in turn, shake public confidence in the integrity of financial reporting and financial markets themselves.

Both institutions have survived, but we haven’t heard the last of this. Activity is ongoing. Regardless, every organization should take heed: When compliance requirements go away, the underlying risks do not. SOX and the PCAOB are pivotal in helping organizations instill risk management discipline, controls, awareness, transparency, and accountability. Without them, it’s up to your organization alone to ensure all of the above.

Risk only multiplies in permacrisis, requiring a strategic plan to protect your business. GRC teams should band together to spearhead scenario planning and strengthen risk management — the essence of connected risk.

2. Tariff wars create new supply chain and third-party risks

U.S.-based retailers are warning that high tariffs from key sourcing countries, unclear requirements, and sudden policy shifts are setting the stage for a tough holiday season and challenging spring. Price hikes, job cuts, product portfolio reduction, slower innovation, delayed product releases, uncertain forecasts, reduced capital expenditures, paused orders, and reshaped supply chains and global trade relationships are likely results.

The tariff wars’ far-reaching impacts on retail, however, are merely representative of risks’ ripple effects in today’s hypervolatile risk landscape. For example, the ongoing impacts of high-profile ransomware attacks like the European airports cyber incident and Marks & Spencer cyberattack should be a wake-up call for organizations in every industry. Supply chain and third-party risks now represent enterprise-wide threats.

We must improve our capacity for foresight, including broadening our view to consistently consider second- and third-order risks. That necessitates challenging past assumptions, reviewing audit plans, and developing more proactive response strategies (e.g., scenario testing/planning) that enhance resilience and enable faster responses.

3. Gen AI fueling financial fraud and market manipulation

AI’s fast proliferation introduces novel threats and new vulnerabilities to individual organizations and overall financial-market integrity. In particular, AI-generated “deepfakes” — convincing but fraudulent videos featuring business or government leaders or other influencers peddling false information — are a fast-growing problem necessitating urgent action. Deepfakes have already caused massive financial losses and severely shaken investor confidence.

Effective AI governance is still aspirational for most organizations, and most internal audit teams aren’t ready. Focus on the Future 2026 found that 63% of respondents hadn’t defined a risk appetite or AI governance framework, and only 28% were confident in their team’s ability to audit AI risks effectively.

AI governance and risk management are essential, and internal audit can lead the way. GRC leaders should ensure that AI technologies include appropriate safeguards around security, control, auditability, privacy, and other considerations. Moreover, internal auditors should use AI in their own work, helping them gain the knowledge required to provide meaningful recommendations around AI.

4. President fires federal inspectors general

Federal inspectors general (IGs) have long been seen as enjoying a unique level of independence because only the president can fire them. But that’s what happened the first week of Trump’s second term: 17 IGs received email notification of immediate termination “due to changing priorities.”

Presidents are required to give Congress 30 days’ written notice and a “substantive rationale, including detailed and case-specific reasons” for removing an IG. Such rationales were never provided, and a federal judge ruled the firings illegal — but the IGs were not reinstated, given the president could re-fire them. Congressional leaders have since alleged that the administration is cutting IG resources and blocking critical investigations.

Federal IGs are independent watchdogs charged to root out waste, fraud, and abuse. Their oversight is critical to maintaining public confidence in legitimate government, and as the judge wrote, “Their effectiveness depends on their ability to operate free from political pressure or retaliation.” Presidents can and do remove IGs. But as a former federal IG, I’m concerned by the perceived starvation of oversight functions and inherent challenge to their independence.

How independent are you, really? Take action to safeguard your independence with internal audit’s charter, CEO approval of audit plans, protocols for alerting audit committees to disagreements between management and internal audit, and other key avenues.

5. The Louvre ignored audit recommendations before theft

When thieves carried out a broad-daylight heist of the Louvre, carrying off $102M in crown jewels, the world was shocked. How could the prestigious Louvre have fallen victim? The answer: a series of security failures and issues, including “chronic, structural underestimation” of theft risk and outdated security technology and protocols.

The Louvre knew of these problems before the theft. Why? France’s court of auditors had issued an audit report telling them. The report found that investments prioritized “visible and attractive operations” and recommended prioritizing safety and security updates by cutting expenses in other areas. A modernization plan had been studied since 2018, but the museum kept delaying implementation.

Unfortunately, the Louvre theft is simply a sensational example of an all-too-common failure to heed internal audit’s warnings. I previously highlighted Atlanta’s failure to act on a 2017 audit report finding “thousands of vulnerabilities” and significant “preventable risk exposure” — leaving the city vulnerable to a 2018 ransomware attack crippling city infrastructure. Inaction has consequences, and not listening to internal audit is itself a risk.

Raise the alarm about important issues and refuse to be ignored. Advocate internal audit’s value, resist “groupthink,” and stay resolute in the face of reluctance to hear bad news.

Today’s headlines are tomorrow’s risks

These headlines’ themes should be a clarion call for internal auditors, reinforcing the existential value shift our profession is undertaking. Internal auditors who heed the call — stepping up to help their organizations navigate emerging and evolving risks, and strengthening their standing as independent advisors whose recommendations should be heeded — will be those left standing when the smoke clears. Are you doing enough to define your value and harness it for impact?

See how AuditBoard can deliver real impact for your business in 2026 and beyond.

Book a demo

About the authors

Richard Chambers, CIA, CRMA, CFE, CGAP, is the CEO of Richard F. Chambers & Associates, a global advisory firm for internal audit professionals, and also serves as Senior Advisor, Risk and Audit at AuditBoard. Previously, he served for over a decade as the president and CEO of The Institute of Internal Auditors (IIA). Connect with Richard on LinkedIn.