Internal Audit & Controls

In this article, Norman Marks explores what the future holds for internal auditing as AI, automation, and rapidly evolving business processes begin to reshape the very foundations of risk and control. Drawing on a real-world anecdote, he challenges auditors to rethink not just their tools, but their purpose, urging the profession to move beyond incremental change and confront the deeper question of what meaningful assurance looks like in a world where the rules are being rewritten in real time.

New Zealand’s Financial Markets Authority has flagged ongoing weaknesses in financial reporting disclosures, even as overall standards remain high and filing timeliness shows signs of improvement.

The Financial Reporting Council has published new guidance aimed at helping audit firms navigate the rapid adoption of generative and agentic artificial intelligence, marking what it describes as the first such guidance from any audit regulator globally.

Macquarie Securities has been ordered to pay about $23 million ($35 million AUD) after Australia’s New South Wales Supreme Court found the firm responsible for years of inaccurate short sale reporting caused by failures in its internal systems and controls.

In a recent LinkedIn post, I posed a question that has quietly lingered in governance circles for years. If courts in the United States have already made clear that boards are expected to oversee risks tied to Mission Critical Objectives, why haven’t regulators directly addressed deficient board oversight in this area?

Sweden’s financial regulator has launched an investigation into Svenska Handelsbanken to determine whether the bank has met its obligations under anti-money laundering rules.

Governance frameworks have made genuine progress on audit independence. Dual reporting lines - administrative to the CFO, functional to the audit committee - are now standard in most mature organizations. The IIA Global Internal Audit Standards codify functional reporting to the board. Audit committee charters address it. Regulators ask about it.