In a Fast-Moving World, Focus on Risk Matters More Than Ever
As business environments become more complex and move faster, even well-run organizations can lose sight of which risks deserve the most attention.
Unless you work in the field, or you are one of my kids, you may still be unclear on what Internal Audit actually does or what value it brings. As I've reflected on how the profession should continue to evolve, a more fundamental question keeps coming up: what value should Internal Audit really be optimizing for?
Those recent discussions with audit leaders reinforced something important. The challenge is not that Internal Audit lacks clarity on its purpose. That purpose has always been clear. Internal Audit exists to help organizations stay focused on their most significant risks.
As Internal Audit changes how it operates, its purpose should remain steady. That purpose is neither new nor controversial. Yet in practice, it is harder to live by than it sounds.
The challenge lies in how consistently that purpose is reflected in day-to-day execution.
Explaining Internal Audit's value has been challenging at times throughout my career, and I've experienced firsthand how easy it can be to adjust efforts to accommodate competing priorities, urgent requests, or relationship dynamics, without stepping back to reassess the bigger picture.
Value Comes in Many Forms. So Does Risk.
Internal Audit can create value in many different ways. Recovering overpayments from suppliers. Identifying fraud. Improving policies and procedures. Confirming that processes work as intended. All of these are meaningful contributions.
Risk itself also takes many forms, spanning strategic, operational, financial, technological, and cultural domains. As organizations evolve, the list continues to expand.
What becomes increasingly difficult over time is making clear, explicit choices about where to focus.
Recognizing multiple forms of value does not reduce the need for prioritization. It heightens it. Doing an excellent job auditing lower-level procedural risks does not fully offset missing risks that can meaningfully change the direction of an organization. Depth in one area rarely compensates for blind spots in another.
Judgment Is Part of the Job. Making Prioritization Explicit Is Leadership.
Evaluating risk has always involved judgment. Assessing impact and likelihood is never purely objective; it depends on context, experience, and perspective.
Acknowledging that subjectivity does not remove the responsibility to prioritize. Treating all risks as equal, or defaulting to those that are easiest to scope or assess, may feel neutral, but it still reflects a choice.
Research published by Gartner found that 86 percent of material stock-price shocks were driven by strategic risk failures, while only 14 percent were tied to other categories, primarily operational and financial risks. Yet Internal Audit and SOX teams continue to spend the majority of their time and resources on that smaller portion of the risk universe.
This is not because the profession lacks awareness. It is because prioritization is genuinely difficult to exercise in environments shaped by capacity constraints, historical expectations, and well-established audit rhythms.
Making prioritization explicit, especially at the enterprise level, is not a retreat from assurance. It is one of Internal Audit's most important leadership contributions.
Why Strategic Risks Are Harder to Tackle
Strategic risks affect whether an organization's market positioning, business model, and key choices will deliver the outcomes leadership expects. They are closely tied to how the organization competes, grows, allocates capital, and responds to change.
By nature, these risks are harder to define and harder to evidence. They do not always align neatly with traditional assurance models or standards. Ownership is often diffuse, and discussions can surface uncomfortable questions about decisions that are already in motion or have already been made.
Meaningful engagement with strategic risk often requires Internal Audit to operate closer to the organization's core business cadence: long-term strategy discussions, annual planning cycles, and major investment decisions. It also requires a different posture than reviewing narrowly defined process controls. Judgment, context, and perspective matter more than checklists.
These challenges are real. In many organizations, they are reinforced by structural factors and by the level of support provided by executive leadership and audit committees.
But difficulty does not make these risks optional. Over time, avoiding strategic risks in practice can unintentionally reinforce the perception that Internal Audit belongs elsewhere. Consistent engagement, on the other hand, naturally pulls Internal Audit closer to the conversations where direction is set.
The Opportunity Is Impact
Internal Audit's role has always been to bring transparency and accountability in support of business performance. That role is not fading. If anything, it is becoming more important.
As risks become more interconnected and materialize faster, insight delivered early becomes more valuable than assurance delivered after the fact. Engaging with strategic risk allows Internal Audit to contribute perspective, not just confirmation. It creates space to inform decisions while they are still being shaped, and to influence the organizational structure required to execute them.
This does not diminish the importance of strong execution at lower levels of risk. It broadens Internal Audit's contribution by applying the same discipline and rigor to the areas that most directly influence company-wide outcomes.
A Leadership Decision, Not a Maturity Question
The business environment will continue to evolve. Technology will continue to accelerate. New tools and methods will emerge.
None of that changes Internal Audit's responsibility. At the same time, none of this is simple in practice. Competing expectations, limited capacity, and the need to maintain trust all shape how far and how fast Internal Audit can move.
Engaging with strategic risk is not a future-state maturity milestone. It is a leadership decision. It depends on Internal Audit exercising independent judgment and professional confidence. And on executives and audit committees supporting the use of Internal Audit resources where an objective and disciplined perspective can most effectively inform oversight over the organization's most significant risks.
What Audit Leaders Can Do Now
Engaging with top-level and strategic risks does not require a redesigned audit plan or perfect methodologies. In many cases, audit leaders are already doing parts of this implicitly. Making it intentional is the next step.
First, make the trade-offs in the audit plan explicit. Rather than viewing the plan as a collection of individual audits, step back and assess which enterprise-level risks the plan meaningfully touches, and which it does not. Mapping audit work to the organization's most significant risks makes one thing clear: focus is always a choice. Making those choices visible, especially to the audit committee, reframes the conversation from coverage gaps to informed prioritization.
Second, use existing audit work as a lens into strategic assumptions. Many strategic risks surface indirectly through audits. When issues arise, the most valuable question is often not whether a control failed, but what underlying capability or assumption allowed the issue to emerge. Over time, consistently asking that question shifts Internal Audit's contribution from isolated findings to enterprise-level insight, without expanding immediate scope.
Third, intentionally build dialogue with business leaders around strategic assumptions and risks. This goes beyond observing planning or budgeting forums and moves Internal Audit into active, informed conversation. The objective is not simply to collect information, but to demonstrate relevance by asking thoughtful questions and bringing an independent perspective to discussions that shape outcomes.
Meaningful coverage of top risks will never be perfect, and depth will develop over time. But focus on those risks cannot wait. It has to be exercised daily, through the questions we ask, the choices we make, and the perspectives we bring, if Internal Audit is to fully realize its role.