Skills Needed to Modernize Audit Practices

Auditing in the Age of AI Agents: Evolving Beyond the Traditional Skillset As AI agents become embedded in core business processes, the skills we expect from auditors will fundamentally shift. We’re entering an era where understanding debits and credits isn’t enough—auditors will need to bring together capabilities across cyber, AI, financial acumen, and data fluency. Take the Procure-to-Pay (P2P) process as an example: Traditionally, auditors would test a sample of purchase orders, invoices, and payments to assess control effectiveness. In a world where AI agents are autonomously processing and approving invoices, auditors will need to: • Understand how the AI agent makes decisions, including model logic and input parameters • Assess the cyber risks around system access and manipulation • Evaluate whether the agent adheres to financial controls like segregation of duties or approval thresholds • Test whether the agent can be biased, gamed, or manipulated—something traditional audit approaches don’t address The role of the auditor is evolving from “checking after the fact” to challenging the algorithm in real time. This shift isn’t just about upskilling—it’s a transformation of our profession. The future auditor is part technologist, part analyst, and part challenger. What do you think? Are we ready for that future? And more importantly, are we preparing the next generation of auditors to meet it? That future is closer than we think!

Dear IT Auditors, ITGC in Cloud-Native Teams Many organizations have embraced cloud platforms like AWS and Azure, but very few know how to audit IT General Controls (ITGCs) in a cloud-native environment. Traditional ITGC testing relied on on-premises systems, familiar roles, and predictable evidence. Cloud-native teams change the rules. When developers can spin up resources in minutes and infrastructure is managed as code, how do you validate that controls exist and work without slowing the business down? That’s where modern IT audit practices come in. 📌 Access Management: Instead of static AD groups, cloud environments use identity and access management (IAM) policies. You need to review policies, roles, and entitlements at scale. Focus on least privilege, segregation of duties, and rotation of credentials. 📌 Change Management: Cloud-native teams use pipelines like GitHub Actions, GitLab CI, or Azure DevOps. Your role is to confirm that code changes to infrastructure or applications follow peer review, approval, and automated testing. Ask: Can the organization trace who made changes and when? 📌 Operations Controls: Logs, alerts, and monitoring are built into cloud platforms. The test isn’t whether logs exist—it’s whether logs are retained, reviewed, and tied to incident response. Look at CloudTrail in AWS or Activity Logs in Azure and test for completeness and retention. 📌 Evidence Collection: Screenshots aren’t enough. Cloud platforms produce system-generated evidence like JSON files, configuration exports, and automated compliance scans. As an auditor, you should guide teams to provide structured evidence that regulators and executives trust. 📌 Collaboration with DevOps: The biggest shift is cultural. IT auditors can’t audit cloud-native teams with a checklist designed for 2005. You need to understand the language of developers, containers, and automation, then translate it into assurance terms. Collaboration builds trust, and trust drives better controls. Cloud adoption is accelerating. The question for auditors is simple: are you testing ITGCs the old way, or are you building assurance into the way cloud teams actually work? #ITAudit #CloudAudit #ITGC #AWS #Azure #DevOps #Assurance #RiskManagement #CyberSecurityAudit #GRC #InternalAudit

We Are Failing the Next Generation of Internal Auditors Every successful senior auditor of our time has one thing in common. We had leaders that pushed us all to places we hoped we would find but doubted we would ever see. They let us stand on their shoulders. We as a profession are not doing this for the next generation eager to take the mantle. Today’s early-career internal auditors are entering a profession that’s being completely transformed by AI ... but we haven’t given them the support to thrive. They’re handed audit programs built for another time. Judged by KPIs that reward routine over insight. Told to “keep up” while senior leaders stall on AI transformation. We are asking our most promising talent to solve tomorrow’s problems with yesterday’s methods. Not only are we likely to see a bitter tundra of generational hopes and dreams unfulfilled but we - collectively as a profession - are quickly coming up to the cliff of failing in our most basic obligation to be able to provide accurate, insightful and educated assurance to those that seek it. So what can we do to ensure those just now starting remain to lead the profession to new and different heights in the decades ahead. ~ What Audit Teams Must Do ~ 1 - Give junior auditors hands-on exposure to AI tools used in the business. 2 - Redesign entry-level roles to include data-driven audit tasks. 3 - Involve juniors in risk identification workshops related to AI systems. 4 - Create safe spaces for juniors to propose automation ideas. 5 - Replace checklists with judgment-based learning tasks that build critical thinking. ~ What the Profession Must Do ~ 6 - Update what it means to be a competent auditor to include digital literacy and AI understanding. 7 - Promote career stories that show audit as a launchpad. 8 - Make AI a standing agenda item at all professional forums and roundtables. 9 - Reward AI audit innovation in industry awards and publications. 10 - Create open-source libraries of AI audit tools and templates. ~ What the IIA Must Do ~ 11 - Ditch the Standards and reinvent them for the AI era. 12 - Make AI, automation, and data analytics core to certification and CPD. 13 - Launch a “NextGen Auditor” track with AI-focused curriculum. 14 - Build a free global digital audit toolkit for members. 15 - Create an AI Audit Leaders Council with majority junior representation. 16 - Produce case studies showing how junior auditors can lead AI assurance. 17 - Rebrand the profession around relevance and reinvention. 18 - Establish a global AI audit hackathon. 19 - Launch an “AI in Audit” journal and insights hub. 20 - Create a “Top 100 Emerging Auditors in AI” list. 21 - Provide seed grants for junior-led AI research. 22 - Launch a global mentorship platform. As to what Internal Audit may be for the next generation ... a tale for another time.

⛔ISO19011 Is Changing: What You Need to Know⛔ #ISO19011, the global standard for auditing management systems, is getting a significant update. The Draft International Standard (DIS) 19011:2025 introduces changes that will impact governance, risk, and compliance (GRC) professionals, particularly those overseeing audit functions. ➡️ What’s Changing in ISO19011? 1. Remote Auditing Is No Longer an Exception, It’s the Norm 🔷What’s new? 🔸The 2025 draft expands guidance on remote auditing, aligning with ISO/IEC TS 17012 (conformity assessment for remote audits). 🔸Organizations conducting virtual audits, hybrid audits, or remote compliance reviews will have clearer best practices. 🔷What this means for You: 🔸If your audit programs still treat remote auditing as a workaround, it’s time to formalize it. 🔸New policies and controls for virtual audits will be necessary to maintain audit credibility. 2. Stronger Risk-Based Approach to Auditing 🔷What’s new? 🔸The 2025 draft elevates risk assessment in audit planning and execution. 🔸Auditors will need to assess risks and opportunities within an audit program before conducting assessments. 🔷What this means for You: 🔸Risk-based auditing is becoming a requirement, not a best practice. 🔸Audit teams should prioritize high-risk areas, integrating audits with enterprise risk management (ERM). 3. Virtual Organizations & Digital Evidence Get Formal Recognition 🔷What’s new? 🔸The draft standard acknowledges “virtual locations”, organizations that operate without a physical footprint. 🔸New guidance covers auditing digital processes, AI-driven decisions, and cloud-based compliance programs. 🔷What this means for You: 🔸Compliance audits must adapt to digital businesses, especially in cloud security, AI governance, and fintech. 🔸Organizations will need new controls for validating digital records and automated compliance tools. 4. Auditor Competency Requirements Are Expanding 🔷What’s new? 🔸The 2025 revision strengthens competency requirements for auditors, including skills in cybersecurity, AI oversight, and remote auditing tools (Shea Brown). 🔸Training and evaluation criteria for audit teams will become more structured. 🔷What this means for You: 🔸Expect more rigorous requirements for internal and external auditors. 🔸Consider upskilling your audit teams now in digital auditing, cybersecurity compliance, and AI governance. ➡️How Should You Prepare? ◽Review Your Remote Auditing Policies – If virtual audits aren’t fully integrated into your audit program, now is the time to refine procedures. ◽Strengthen Risk-Based Audit Planning – Compliance is shifting from a checklist approach to a risk-prioritized strategy. Audit programs should align with enterprise risk frameworks. ◽Update Auditor Competency Requirements – The skills required to audit AI, cybersecurity, and remote environments will be increasingly scrutinized. Ensure your teams are trained and ready. A-LIGN #TheBusinessofCompliance

EY just told us what the future of #audit looks like. #Educators take note, this is helpful EY has just announced the global roll out of enterprise scale #agentic #AI across 160,000 audit engagements in more than 150 countries. AI agents will now orchestrate complex tasks, assess risk dynamically, and access continuously updated auditing guidance at a scale and speed no human team could match. This isn't a pilot, It's happening. And that raises a difficult question for accountancy educators, could a newly qualified accountant walk into EY today and genuinely add value? The principles of #compliance, audit, and assurance are still hugely important. EY are at pains to stress that "human judgment, scepticism and insight" remain fundamental. But what examples are being used in class that brings to life this real-world application. The future accountant needs to be skilled in asking questions, interrogating AI output and deciding if the agent got it right, and if not why not? “Challenging the machine is the new competency”. That demands a very different kind of #eductaion and #training. One built around #criticalthininking, professional #scepticism, and an ability to work with intelligent systems rather than simply alongside them. EY are building a global training programme to upskill their own people. The question is, should educators be doing something very similar and faster? https://lnkd.in/ecARbum8

Hi everyone, this is still evolving, and I am learning alongside many of you... As you may recall, in Part 1, I discussed how agentic AI is beginning to reshape the Internal Audit operating model. In Part 2, I focused on governance and the role we need to play as AI scales across the organization...Part 3 is about our people and what we should be doing differently starting now. This shift is no longer theoretical. It is showing up in real environments. Audit work is shifting from execution to configuration, orchestration, and supervision. And that means our skill sets need to evolve. Over the past months, working through this, a few areas are becoming clear. - First, we need to understand how these systems actually work. Concepts like agentic orchestration define how agents interact, pass decisions, and influence outcomes across workflows. If we are going to audit this, we need to understand how risk flows across that ecosystem, not just within a single control. - Second, we need to get comfortable with how solutions are being built. There is a growing shift toward what some call “vibe coding” by using AI to build workflows and logic through prompts. Whether we like the term or not, business teams are starting to build this way. We do not need to become developers, but we need enough familiarity to understand what is being created and where risks can emerge. - Third, data literacy becomes foundational. Understanding how data is sourced, transformed, and used by models is critical if we are going to challenge outputs and validate decisions. This is quickly becoming a core audit skill. - Fourth, our role in AI governance becomes more embedded. As we discussed in Part 2, governance is still evolving. But that does not mean we wait. It means we engage early and help define standards around traceability, accountability, and transparency. All of these point to a broader shift...The future auditor is not defined by how many controls they test, but by how well they understand how decisions are being made in systems that combine data, models, and automation. This is not about replacing people. It is about expanding what “good” looks like, and it means rethinking how we develop our teams. Learning cannot be occasional. It has to be continuous and tied to real use cases. It is very difficult to audit something you have never experienced. As I think about other topics, there are a few areas I am exploring: How far does “vibe coding” go in the enterprise? What does risk look like when agentic orchestration connects multiple systems? How deep does data literacy need to go across the team? These are no longer edge topics. They are showing up in real environments. Are we giving our teams exposure to how these systems actually work… or expecting them to audit something they have never experienced?