Risk & Audit at a Crossroads

Key Takeaways

• Shift in Internal Audit Role: The 2025 North American Pulse of Internal Audit report highlights that a large percentage of CAEs at publicly traded companies are responsible for SOX compliance, with an increasing focus on risk management and Enterprise Risk Management (ERM).
• Increased Resources for SOX: Last year, 34% of companies increased their budgets and 25% increased staff, mostly to meet SOX requirements or maintain risk registers.
• Internal Audit as Compliance-Oriented: The 2024 IIA Vision 2035 report and the 2025 IIA Pulse of the Profession indicate that internal audit is largely viewed by management as focused on compliance and policing.
• ERM Frameworks and Strategic Planning: Despite the ISO definition of "risk," many ERM frameworks are disconnected from strategic planning, limiting their effectiveness in managing MCOs (Mission Critical Objectives).

Deep Dive

In this article by Tim Leech, we dive into the evolving role of internal audit and risk management functions. The 2025 North American Pulse of Internal Audit report has just been released, and it brings important observations that are crucial for understanding the current landscape of internal audit and risk management. The question arises over whether organizations should stick with the traditional model of Risk & Controls Enforcement, or should they shift towards providing decision support services that align with mission-critical objectives (MCOs) and risks?

Stick with Risk and Controls Enforcement or Retool to Provide Decision Support for Mission-Critical Objectives and Risks?

The 2025 North American Pulse of Internal Audit report has just been released and contains important observations:

• Almost 80% of CAEs at publicly traded organizations have SOX responsibility.
• Publicly traded companies use internal audit functions extensively for SOX requirements.
• Sarbanes-Oxley comprises a large portion of the audit plan where SOX is implemented.
• Last year, 34% increased their budgets, and 25% increased staff—mostly to meet SOX requirements or create/maintain risk registers.
• CAEs are more likely to be responsible for ERM now than 9 years ago. (In cases where CAEs are given responsibility for ERM, the majority implement a risk list approach to ERM.)

The 2024 IIA Vision 2035 report indicates that the majority of management sees internal audit as focused on compliance and policing. The 2025 IIA North American Pulse of the Profession corroborates this conclusion.

On the risk front, 15 years of surveys conducted by NCS/AICPA on board risk oversight show that few ERM frameworks are integrated with strategic planning. Why? Because most ERM frameworks are simply lists of disparate risks, rather than reports on uncertainty/risk being accepted and linked to MCOs. This is despite ISO’s definition of “risk” as “the effect of uncertainty on objectives,” and the fact that real “top risks” are linked to a company’s MCOs—its top strategic and value-creation objectives key to sustained success.

This situation exists despite all risk management standards dating back to AU/NZ 4360 in the '90s, which claimed that two top benefits of formal risk management frameworks should be better decisions and better resource allocations.

My post last week outlined a new vision for risk and internal audit focused on helping companies realize the top benefits of formal risk management as promised by ISO 31000 and COSO ERM. To realize that vision, both professions need to rebrand and retool how they work. Objective-Centric Risk and Uncertainty Management (OCRUM), focused on MCOs, is a tangible and tested way to achieve that. Companies that implement strong first-line objective-centric risk management redefine roles. The second line of defense helps first-line management assess and report on risk linked to MCOs. The third line, internal audit, quality-assures the risk and uncertainty information on MCOs provided to the CEO and board.

Companies and boards that elect to stick with the status quo for risk and internal audit should consider renaming them Risk & Controls Enforcement to avoid any misunderstanding. Risk and internal audit using status quo methods don’t have a mandate to focus efforts on risk and uncertainty linked to MCOs. CROs and CAEs should not claim to regulators or shareholders that they are focused on real “top risks”—a stance that has led to consequences such as the sanctions and $18.5 million fines suffered by Wells Fargo’s CRO/CAEs. Real top risks are linked to MCOs.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.