AI GRC Director | AI Risk Manager | Quantitative Risk Lead
Speaker, Corporate Trainer and Executive Advisor
The Evolution Of Internal Audit From Control Testing To Risk-Based Assurance
The role of internal audit has evolved substantially over the past two decades. The traditional focus on testing internal controls over financial reporting has given way to a broader mandate centered on risk-based assurance and advisory services that support the organization's ability to achieve its strategic objectives.
This evolution is codified in the IIA's definition of internal auditing, which describes the function as an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. The definition further states that internal audit helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. The inclusion of both assurance and consulting, the emphasis on adding value and improving operations, and the connection to organizational objectives are all foundational to understanding how far the profession has moved beyond its historical focus on control verification.
The IIA Global Internal Audit Standards, which took effect in January 2025 and replaced the prior International Standards for the Professional Practice of Internal Auditing, reinforce this trajectory. Standard 9.1 requires the chief audit executive to develop a risk-based internal audit plan, and Domain V of the Standards addresses the performance of internal audit services across both assurance and advisory engagements. The Standards explicitly recognize that internal audit provides value not only through assurance over existing controls but through advisory services that offer insights, recommendations, and counsel to improve governance, risk management, and operational effectiveness.
The IIA's stated mission captures this dual mandate concisely: to enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight. The word enhance is as important as the word protect. Internal audit is not limited to identifying what is wrong. It is positioned to identify what could be better.
Risk-Based Auditing: The Current Standard Of Practice
Risk-based auditing is the methodology through which internal audit provides assurance that risks are being managed to levels consistent with the organization's risk appetite as defined by the board and senior management. Rather than auditing every process or control in the organization, risk-based auditing directs audit resources toward the areas of highest risk to the achievement of organizational objectives, ensuring that the internal audit plan reflects the organization's risk profile rather than an arbitrary or rotational coverage model.
Under a risk-based approach, the audit engagement begins with the organization's objectives and the risks that threaten those objectives, not with the controls themselves. Controls are then evaluated in the context of whether they adequately mitigate the identified risks. Audit recommendations are prioritized based on the significance of the risk they address, ensuring that management and the board receive the most consequential findings first.
This approach is explicitly required by the IIA Standards. Standard 9.1 states that the internal audit plan must be based on documented risk assessments that consider the organization's risk management framework, input from senior management and the board, and the results of prior audit engagements. The risk-based plan is not a static document. It must be reviewed and adjusted in response to changes in the organization's business, risks, operations, programs, systems, and controls.
It is important to distinguish the risk-based internal audit approach from the risk assessment requirements that apply to external auditors. The original post referenced SAS No. 104 through 111, which were Statements on Auditing Standards issued by the AICPA Auditing Standards Board in 2006. These standards, which have since been superseded by the AICPA Clarified Statements on Auditing Standards beginning with SAS No. 122, apply to external audits of financial statements conducted by independent public accounting firms. They are not internal audit standards and do not govern the methodology of internal audit engagements. While external audit risk assessment concepts share common intellectual foundations with internal audit risk-based planning, the professional standards, the scope of the engagement, and the reporting obligations are fundamentally different. Internal audit's risk-based methodology is governed by the IIA Standards, not by the AICPA's auditing standards.
The Scope Of Risk Under ISO 31000 And COSO ERM: Threats And Opportunities
A complete understanding of risk-based auditing requires clarity about what risk actually encompasses. Both ISO 31000:2018 and the COSO Enterprise Risk Management Integrating with Strategy and Performance framework define risk in terms that explicitly include both negative and positive deviations from expected outcomes.
ISO 31000:2018 defines risk as the effect of uncertainty on objectives (Clause 6.1), and the accompanying notes specify that this effect can be positive, negative, or both, and can create or result in opportunities and threats. Critically, the 2018 edition of ISO 31000 also addresses risk treatment options that apply to opportunities, not only to threats. Clause 6.5.3 identifies treatment options that include modifying the likelihood or consequences of events, sharing the risk, retaining the risk by informed decision, and taking or increasing the risk in order to pursue an opportunity. The claim that ISO 31000's risk treatment framework addresses only threats is incorrect under the current edition of the standard. The framework explicitly accommodates both the mitigation of threats and the exploitation or enhancement of opportunities.
The COSO ERM framework, updated in 2017, goes further by integrating risk management directly into strategy setting and performance management. The framework recognizes that organizations must consider the full spectrum of potential events, both adverse and favorable, when setting strategy, defining objectives, and managing performance. Risk appetite is defined not merely as the amount of loss the organization is willing to tolerate but as the types and amount of risk the organization is willing to accept in pursuit of value creation.
This dual scope, encompassing both threats and opportunities, is the conceptual foundation for extending internal audit's advisory role beyond the identification of deficiencies and weaknesses to include the identification of opportunities for operational improvement, strategic enhancement, and value creation.
Risk Appetite Is Not Simply A Function Of Profitability
The original post stated that risk appetite depends on the profitability of a business and that a business needs more profits to undertake greater risks. This characterization significantly oversimplifies the concept of risk appetite and does not align with how the term is defined in authoritative frameworks.
Risk appetite is the amount and type of risk that an organization is willing to pursue or retain in order to achieve its objectives. It is established by the board and reflects the organization's strategic objectives, stakeholder expectations, regulatory constraints, capital adequacy, competitive position, organizational culture, and capacity to absorb losses, among other factors. Profitability is one input to the risk appetite determination, but it is not the sole or even the primary driver.
A highly profitable organization may have a conservative risk appetite because its board prioritizes capital preservation and stakeholder stability. A less profitable organization may have an aggressive risk appetite because its strategic position requires it to take calculated risks to achieve growth objectives. Risk appetite is a governance decision that reflects the board's judgment about the appropriate balance between value creation and value protection, not an automatic function of current financial performance.
Understanding this distinction matters for the internal audit function because it determines the framework within which audit recommendations are evaluated. Recommendations to pursue opportunities must be assessed against the organization's defined risk appetite, not against an assumption that higher profitability automatically justifies higher risk-taking.
What Internal Audit Can Legitimately Do: Advisory Services And Opportunity Identification
The IIA framework provides substantial scope for internal audit to contribute to the identification of opportunities and the improvement of organizational performance, without requiring the creation of a new methodology or a departure from professional standards.
Advisory services under the IIA Standards encompass consulting and related client service activities, the nature and scope of which are agreed upon with the client, and which are intended to add value and improve an organization's governance, risk management, and control processes without the internal auditor assuming management responsibility. Through advisory engagements, internal audit can provide insights on process efficiency, identify best practices observed across the organization or in comparable industries, recommend improvements to operational effectiveness, and highlight opportunities for cost reduction, revenue enhancement, or strategic repositioning.
The internal audit function's unique organizational position provides it with a cross-functional perspective that few other functions possess. Internal auditors examine processes across every business unit, function, and geographic location. They review controls, interview process owners, analyze data, and assess performance against objectives throughout the enterprise. This breadth of access and observation creates a natural foundation for identifying not only weaknesses and deficiencies but also strengths, best practices, and untapped opportunities.
Performance auditing, which evaluates the economy, efficiency, and effectiveness of operations, is an established category of internal audit engagement recognized by the IIA. Performance audits assess whether resources are being used optimally, whether processes are achieving their intended outcomes, and whether opportunities exist to improve performance without increasing risk. This engagement type already provides the methodological framework for much of what the original post described as opportunity-based auditing.
The IIA Practice Guides and supplementary guidance also address the role of internal audit in providing strategic insights. The IIA has published guidance on internal audit's contribution to organizational governance, its role in emerging risk identification, and its responsibility to communicate significant observations about strategic and operational matters to the board and senior management. These guidance documents support the proposition that internal audit should actively contribute to the organization's capacity to identify and pursue opportunities, provided that the function maintains its independence and objectivity and does not assume management decision-making responsibilities.
The Boundaries: Independence, Objectivity, And The Prohibition On Management Responsibility
While the IIA framework supports internal audit's role in identifying opportunities and providing advisory insights, it also establishes clear boundaries that must be respected.
Independence and objectivity are the foundational principles of the internal audit profession. The IIA Standards require that the internal audit function be independent from the activities it audits and that individual internal auditors maintain objectivity in performing their work. When internal audit provides advisory services related to opportunity identification, it must not compromise its ability to provide objective assurance over the same areas in the future.
The prohibition on assuming management responsibility is equally critical. Internal auditors may recommend strategies, identify opportunities, and provide analytical insights, but they must not make management decisions about whether or how to pursue those opportunities. The decision to exploit an opportunity, allocate resources, modify a strategy, or change a business process is a management responsibility. If internal audit crosses this boundary, it compromises its independence and creates a self-review threat that undermines the credibility of future assurance engagements over the same area.
The practical implication is that internal audit's contribution to opportunity identification should be structured as advisory engagements with clearly defined scope and objectives, agreed upon with the engagement client, and documented in accordance with the IIA Standards for advisory services. The internal audit report should present findings and recommendations, not directives. The decision to act on those recommendations rests with management, and the board's role is to ensure that both the risks and the opportunities are considered in the organization's strategic and operational decision-making.
Traditional Auditing + Enterprise Risk Management = Risk-Based Auditing
Performance Auditing + Opportunity Risk Management = Opportunity-Based Auditing
Domains Where Internal Audit Advisory Services Can Identify Opportunities
Internal audit's cross-functional visibility positions it to identify opportunities in several domains that are typically outside the scope of traditional assurance engagements.
Operational efficiency is the most natural domain for opportunity identification. Through process audits, internal audit observes how work is performed across the organization and can identify redundancies, bottlenecks, manual processes that could be automated, and variations in practice between business units that suggest some units have developed more effective approaches than others. Recommending the adoption of best practices observed in one part of the organization by other parts is a straightforward form of value-adding advisory insight.
Technology and digital transformation present significant opportunity for internal audit contribution. As internal audit evaluates IT general controls, application controls, and data governance, it develops an understanding of the organization's technology landscape and its limitations. Advisory insights about opportunities to leverage data analytics, automate controls, improve cybersecurity posture, or adopt emerging technologies can add substantial value, particularly when internal audit has invested in building technology competence within its own function.
Strategic and market intelligence may emerge from internal audit engagements that span multiple business units or geographic markets. Internal audit may observe market trends, customer behavior patterns, competitive dynamics, or regulatory developments that individual business units have not synthesized into actionable intelligence because each unit sees only its own segment of the picture. Communicating these observations to senior management and the board is a legitimate and valuable advisory contribution.
Cost optimization is closely related to operational efficiency but warrants specific attention because cost reduction opportunities often require cross-functional coordination that individual business units are not positioned to undertake independently. Internal audit's cross-functional perspective enables it to identify procurement consolidation opportunities, shared service efficiencies, and resource allocation improvements that individual functions may not be able to identify from within their own boundaries.
Governance and risk management maturity itself represents an opportunity domain. Internal audit can recommend improvements to the organization's governance structures, risk management processes, and compliance frameworks that not only reduce risk but also improve decision-making quality, stakeholder confidence, and organizational resilience. These improvements create value that extends beyond risk reduction.
Structuring Advisory Engagements For Opportunity Identification
For internal audit functions that seek to expand their advisory contribution to include systematic opportunity identification, several practical considerations apply.
The internal audit charter must authorize advisory services. The charter, approved by the board or audit committee, defines the purpose, authority, and responsibility of the internal audit function. If the charter does not explicitly authorize advisory and consulting engagements, it should be updated to do so before the function undertakes opportunity-focused advisory work. The IIA Standards require that the nature of advisory services be defined in the internal audit charter.
The risk-based audit plan should incorporate advisory engagements. Opportunity-focused advisory work should not be conducted as an ad hoc activity outside the formal audit plan. It should be incorporated into the plan as defined advisory engagements with clear objectives, scope, and resource allocations. This integration ensures that advisory work receives appropriate governance oversight and does not divert resources from the assurance engagements that remain the core obligation of the internal audit function.
Competency requirements may differ from traditional assurance engagements. Advisory engagements focused on opportunity identification may require internal auditors with operational, commercial, technology, or strategic competencies that go beyond traditional audit skills. The chief audit executive should assess whether the internal audit team has the capabilities required for the advisory engagements contemplated and should invest in training, rotation programs, or co-sourcing arrangements to address competency gaps.
Communication and reporting must be tailored to the advisory context. Advisory engagement reports should be distinguished from assurance engagement reports in format, tone, and distribution. Advisory findings and recommendations should be presented as insights and suggestions rather than as deficiency findings. The distribution should include the management stakeholders who are positioned to act on the recommendations, and the report should clearly identify that the engagement was conducted as an advisory service rather than an assurance engagement.
From Assurance To Insight: The Future Of Internal Audit's Value Proposition
The trajectory of the internal audit profession is clear. The function is moving from a compliance-focused control testing role toward a strategic advisory role that delivers assurance, insight, and foresight to the board and senior management. The IIA Standards, the profession's evolving competency frameworks, and the expectations expressed by boards and audit committees all point toward an internal audit function that is valued not only for what it finds wrong but for what it helps the organization do better.
This evolution does not require the creation of a new methodology with a new acronym. It requires the disciplined application of the advisory capabilities that the IIA framework already authorizes, within the independence and objectivity boundaries that the Standards require, and with the competencies and governance structures necessary to deliver advisory insights that are credible, actionable, and genuinely valuable.
The organizations whose internal audit functions successfully make this transition will find that the function becomes a more valued strategic partner to the board and senior management. The functions that remain exclusively focused on assurance will continue to add value through their core mandate but will not realize the full potential that their cross-functional perspective and analytical capabilities make possible.
The opportunity for internal audit is not to replace management's role in identifying and pursuing business opportunities. It is to ensure that the internal audit function's unique organizational position, its enterprise-wide visibility, its analytical discipline, and its commitment to objectivity are fully leveraged to help the organization see what it might otherwise miss.
Final Perspective
Internal audit should not become a strategy function. But it should not limit itself to control failures either.
The most mature internal audit functions assess whether the organization’s governance, risk management, and control processes are helping management pursue strategic objectives with discipline, transparency, and resilience. That includes evaluating whether the organization is missing value because of weak assumptions, poor execution governance, fragmented accountability, or unmanaged risk in strategic initiatives.
If framed this way, the idea behind opportunity based auditing remains powerful. Internal audit does not need to own opportunities to audit whether the organization is equipped to identify, evaluate, and capture them responsibly.
That is where the function can contribute real strategic value without compromising independence.
References
Institute of Internal Auditors. Global Internal Audit Standards
Institute of Internal Auditors. The Three Lines Model
Committee of Sponsoring Organizations of the Treadway Commission. Enterprise Risk Management Integrating With Strategy And Performance
Public Company Accounting Oversight Board and external audit risk assessment standards where relevant to financial audit context
Leading market practice in strategic internal auditing, transformation assurance, and advisory engagements that preserve independence
Get the latest in corporate governance, risk, and compliance on Twitter