Over the past decade, I have often discussed the strategic risks facing the internal audit profession. That includes several warnings I offered back in 2014:

• Credibility of the profession would be diminished by too many “where were the internal auditor” moments.
• Key stakeholder perceptions of the profession would decline as we rely too heavily on assurance to the exclusion of insight and foresight.
• Noncompliance with standards would negatively impact the quality of our work.
• Blurring lines of defense would afford management the opportunity to rely on other monitoring and oversight functions in lieu of internal audit.
• The profession would struggle to recruit and retain talent to address technology risks.

In 2022, I posed this question on LinkedIn: What are the most critical strategic risks facing the profession in the decade ahead? Although it was an impromptu poll with only four options, I was amazed that more than 1,000 people responded.

Realizing how rapidly the world is changing, and how strategic risks to our profession are likely to follow suit, I conducted the survey again in 2023 and the response was similarly impressive. It showed internal auditors realize that understanding strategic risks is integral to the resilience, adaptability and overall success of the profession.

As 2024 gets underway, I have cast the net again, asking survey takers to rank strategic risks that are “most likely to threaten your internal audit function in the next five years.” Based on the three top responses from a list of risks presented, here are the seven greatest strategic risks as seen through the eyes of our colleagues:

1. Inability to Attract and Retain Talent. This risk has topped the list each time I’ve asked the question. That’s not surprising, considering the overall talent shortage in overheated economies around the world. However, I believe it also reflects the challenges (as several other strategic risks indicate) of recruiting and retaining skills that are crucial to the profession’s mission – particularly technology.
2. Inability to Effectively Leverage Technology. As with the talent risk, the ability to leverage technology in the execution in internal audit’s mission has remained steady at No. 2 in each of these surveys. Leveraging technology solutions is no longer seen as a leading practice in the profession. Rather, it has become essential to delivering value and meeting stakeholder expectations. Yet, the prominence of this risk reflects a recognition that we still have much work to do to harness the power of technology.
3. Inability to Leverage Artificial Intelligence as a Capacity Multiplier. In the past year, we have witnessed breathtaking acceleration in the adoption/proliferation of AI. So, it’s not surprising that the profession’s ability to leverage AI is now seen as a strategic imperative. Generative AI presents huge opportunities for the profession, yet as observed in a recent co-authored article for AuditBoard, “At most, 10% of internal auditors are using generative AI in any way in their own work, and 50–75% have not made any efforts to explore or implement generative AI in internal audit.” This is a strategic risk that is not going away.
4. Lack of IT Expertise. This strategic risk differs from No. 2. Here, internal auditors are recognizing that our skills and expertise in auditing technology risks are sorely lacking. The gap is likely to grow as AI risks become even more prominent in our organizations.
5. Inability to Identify Critical Risks. It is not surprising that this continues to be seen as a strategic risk. Fortunately, it is no longer seen among the top three. Yet, for those internal audit functions that don’t adequately assess and address the critical risks facing their organization, this risk could be existential,
6. Stakeholder Audit/Oversight Fatigue. The first quarter of the 21^st century is almost in the books. One key trend in the corporate sector has been the proliferation of second- and third-line functions, such as risk management, compliance and even internal audit. Some industries, such as financial services, have seen exponential growth in these functions. For internal audit, the risk is an inability to differentiate the value we deliver compared with second-line functions. Stakeholder fatigue refers to the risk that our stakeholders won’t support us (particularly during economic downturns), because they think there are “too many checkers and not enough doers.”
7. Inability to Identify Emerging Risks: The profession continues to register concern that challenges in identifying emerging risks will lead to the inevitable “where were the internal auditor” moments. Surprisingly, this risk has receded at a time when risk chaos and uncertainty have never been greater. Let’s hope this risk is not as significant as many of our colleagues think.

There you have it. The seven most significant strategic risks your colleagues fear as threats in the future. Two risks that didn’t make the top seven were: “AI assuming some or all our mission,” with only 17 percent of respondents rating it among their top three risks; and an “inability to comply with the new IIA standards,” ranked by 5 percent.

Finally, there were a few write-in strategic risks that are worth noting. A few respondents were concerned about a lack of internal audit independence and a lack of effective leadership, diversity and adequate compensation. All are worth monitoring.

I welcome your thoughts on LinkedIn or X. Or drop me an email at blogs@richardchambers.com.