Top Headlines That Defined the Year for Internal Audit in 2024

I’ve long embraced year-end to look back at significant events impacting the internal audit profession. The year 2024 afforded game-changing opportunities to define what we stand for and how we will help our organizations navigate the emerging risks shaping their future. 

Looking back, I believe 2024 will be remembered as a year that set up several key challenges and opportunities for the internal audit profession that will evolve over the next several years.  With that in mind, here are my choices for the top headlines defining our year. 

1. The IIA Releases New Global Internal Audit Standards to Lead Profession into the Future

Internal auditors’ professional standards underwent a once-in-a-generation level of transformation in 2024. In January, The Institute of Internal Auditors (IIA) released a sweeping overhaul of its Global Internal Audit Standards (Standards). As Patty Miller and I highlighted, the Standards substantially raise the bar on quality assessments, strategic planning, collaboration, board/management communications, and performance measurement. The Chartered Institute of Internal Auditors (CIIA) released its updated Internal Audit Code of Practice in September. While CIIA’s code aligns with the Standards, it also exceeds them. Both require conformance by January 2025.

Internal audit’s professional standards differentiate us from other risk and oversight functions. These revisions delineate critical opportunities for meaningful transformation. Further, internal auditors in highly regulated industries should be mindful that regulators will look at their compliance. Unfortunately, 35% of AuditBoard’s 2025 Focus on the Future survey respondents won’t be ready by the January deadline, and compliance could worsen as new Topical Requirements come into play. Noncompliance imperils the quality and professionalism of our work. My longstanding advice to CAEs who don’t conform: Reform. 

2. FRC Publishes Revised UK Corporate Governance Code

Each new corporate governance debacle provides new insight on the regulations and requirements needed for effective corporate governance. Because the UK has recently experienced several such failures (e.g., Carillion, BHS, Thomas Cook), they were perhaps more attuned to the need to refresh their corporate governance code. The UK’s Financial Reporting Council (FRC) published a revised code in January 2024, providing vital clarity on board responsibilities relative to organizations’ risk management and control framework, reporting, and culture. Most organizations are prioritizing conformance and taking a strategic approach to challenges and implementation. 

Though corporate governance codes are well-established in many countries, the U.S. has not had a strong code. However, a corporate governance code likely to gain traction in the U.S. is at last under development. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) and National Association of Corporate Directors (NACD) are collaborating on a principles-based Corporate Governance Framework that aligns with COSO’s Internal Control and ERM Frameworks. Internal auditors should stay tuned.

3. AI-Related Risks Test the Limits of Organizational Risk Management

My 2023 headlines round-up included the need to prepare for AI regulatory compliance. While the risk remains imminent — beyond the Executive Order and EU AI Act, more than 45 U.S. states introduced legislation in 2024 — AI compliance is now only one risk among many. 

As AI use proliferates, the correlating risks mount. The year was packed with lessons on how AI interconnects with risks like cybersecurity, fraud, human capital, culture, reputation, and competition. We’ve begun to see how AI-driven hallucinations, biases, data privacy and IP concerns, deepfake technology, phishing, ransomware as a service (RaaS), identity fraud, and mis/disinformation present risks internal auditors can’t ignore. In particular, AI-related fraud risk should be high on internal audit’s radar.

However, CAEs may be underestimating AI’s risks. 2025 Focus on the Future respondents rank risks related to their organizations’ use of AI the lowest of any of the 14 options offered. At the same time, AI use continues outpacing AI governance and risk management. Internal auditors must take urgent action to understand and manage AI risk. The IIA’s AI Knowledge Center, Risk in Focus 2025 — North America, and 2025 Focus on the Future offer insights and resources.

4. Global Computer Outage Is A Wakeup Call

Early on July 19, security vendor CrowdStrike pushed out a defective update. By day’s end, this single piece of bad code had ignited a global IT meltdown, rendering millions of Microsoft Windows computers inoperable. Hospitals, banks, airlines, railways, TV stations, 911, utilities, and supermarkets shut down or went offline. Beyond the near-term impacts, insurer Parametrix estimated $15B in financial losses globally, including $5.4B for Fortune 500 companies.

The finger-pointing continues, but CrowdStrike’s instrumental lesson on third-party risk is already clear. Our technology systems are deeply interconnected, surprisingly fragile, and highly reliant on third-party cloud, software, infrastructure, and other services. Organizations can be impacted not only by the risks of their third parties, but also by the far-reaching web of financial, operational, strategic, regulatory, supply chain, resiliency, reputational, and other Nth-party risks. The time is now to ensure that business continuity and incident response plans are comprehensive and supported by training and testing. It’s also essential to assess reliance on third parties for critical processes, including whether exposures exceed risk appetite.

5. Fed’s Powell, in Policy Shift, Says ‘Time Has Come’ to Cut Rates

In August, citing a slowing labor market and cooling inflation, Federal Reserve (Fed) Chair Jerome Powell signaled imminent policy change. Indeed, following four years of aggressive and sustained rate increases, the Fed announced a half-percentage-point cut to its benchmark interest rate in September. A quarter-point cut followed in November, with Powell broadcasting the Fed’s intent to reduce its rate toward a “neutral” level that neither restricts nor stimulates growth. So while near-term relief is at hand, the future remains uncertain.

Changing economic conditions create significant risks, from first-order budgeting, forecasting, and cost, expense, and margin management challenges to second- and third-order risks such as fraud, supply chain disruption, and capital market volatility. Some CAEs may not fully grasp these impacts, leading to this high-ranking risk receiving inadequate coverage: 2025 Focus on the Future found that while 59% of CAEs see changing economic conditions as a top risk, only 39% allocate more than 5% of their audit effort to it. 

As I often say, today’s headlines are tomorrow’s risks — and we must follow the risks. Consider 2024’s headlines as bright, blinking, unmistakable signs pointing us toward a future in which internal audit remains a trusted advisor with a well-deserved seat at the table.