Today, I want to share my insight about an emerging topic affecting SOX and Internal Audit leaders. I believe it will reshape how Internal Audit, SOX, and other second-line risk, control, compliance, and assurance functions operate over the next three to five years—and it's already transforming some companies today.

In this article, I will outline this emerging topic, the opportunities and risks it presents to Internal Audit Leaders, how Internal Auditors can begin to help, and what needs to be in place to take advantage of this opportunity.

In today's business world, where new technologies and business risks make competition increasingly difficult, organizations are placing greater emphasis on improving profit margins.

This focus will result in companies intensifying their scrutiny of non-revenue generating functions. Second- and third-line risk, control, compliance, and audit functions will face closer examination.

Specifically, organizations will evaluate these functions not just on their performance, but on their return on investment—asking whether they're getting enough value for their money and how they stack up against their peers.

This internal scrutiny is often reinforced—or sometimes driven—by several key factors:

• underperformance in one or more of these GRC and Audit functions
• service providers, software vendors, and external auditors advocating for greater integration and connectivity among these functions through their thought leadership and executive discussions
• Experience of Audit Committee and Board members from their roles at other companies—especially those who have successfully optimized their GRC functions.
• CAEs, CROs, CISOs, and Chief Compliance Officers interviewing for open roles who share their experiences in successfully integrating these functions.

This heightened scrutiny presents both a significant risk and an extraordinary opportunity for the Chief Audit Executive.

On the positive side, this emerging trend presents aware Internal Audit leaders with an opportunity to catalyze change. They can address the pain points of underperforming functions while improving how second- and third-line processes coordinate, cooperate, consolidate, and connect.

But here's the stark reality: if Internal Audit leaders don't seize this opportunity to drive transformation across their second- and third-line functions, someone else will—be it the Chief Risk Officer, Chief Operating Officer, or another executive with transformation responsibilities.

When—not if—this consolidation occurs, certain second- and third-line functions will merge. While the internal audit team may stay intact, the CAE role will likely become obsolete, with the transformation leader taking charge of a unified Audit, Risk, and Compliance function.

So, what can Internal Audit and SOX leaders do to seize the opportunity this new business reality presents?

We can be the catalyst to drive our organization’s Connected Risk approach.

More specifically, we can address and fix the pain points in existing risk management functions, including:

1. Siloed second- and third-line teams
2. Fragmented and disconnected enterprise data
3. Outdated technology and manual processes
4. Poor adoption rates among risk owners, control owners, and audit stakeholders

‍

For audit and SOX professionals, several key areas and processes offer quick wins for organizations looking to implement a Connected Risk approach.

First, build a unified risk and controls matrix—a single source of truth for the entire organization. Work with peer departments to consolidate all risk and control information into one accessible application that everyone in the organization can use.

Next, organizations have an opportunity to better understand their fragmented risk data, and Internal Audit is well-positioned to help. Multiple teams—including Compliance, EH&S, SOX, Human Resources, Information Security, and Internal Audit—currently conduct separate risk assessments.

How effectively do these assessments align with the organization's broader enterprise risk program? Does the organization maintain a shared risk framework that everyone understands—with consistent scoring methods, clear definitions, and standardized assessment criteria? These areas present prime opportunities for Internal Audit to add value and drive improvements.

Finally, there are opportunities in many organizations to streamline follow-up activities for key risk, control, and assurance processes while reducing resource requirements. Internal Audit can lead by consolidating issue remediation and action plan implementation into a single enterprise-wide follow-up process. And due to Internal Audit's independence, we are ideally positioned to take on the verification work that verify that action plans are properly implemented for all issues identified across the organization.

These three areas provide straightforward opportunities for SOX and Internal Audit teams to support their organization's Connected Risk approach. To learn more about Connected Risk and discover ways to advance your organization's approach, AuditBoard offers two excellent resources:

• Internal Audit’s Expanding Role: The Foundation for Connected Risk
• The Connected Risk Report: Uniting Teams and Insights to Drive Organizational Resilience

Here's a crucial final point: Even if you're aligned and ready to be the catalyst for your organization's Connected Risk approach, you must first prove your ability to lead this kind of enterprise-wide transformation.

Internal Audit and SOX leaders can prove themselves by consistently exceeding expectations in their core responsibilities.

For those with SOX responsibilities, this means managing a SOX program that goes beyond merely meeting expectations or simply testing controls. You should lead a team that educates control owners, uses purpose-built technology to reduce control workloads, builds strong relationships with External Auditors, and streamlines in-scope controls. Moreover, you should be recognized throughout your organization as a champion of strong controls, demonstrating how better controls drive better business performance.

For those with Internal Audit responsibilities, you should be managing a program that adds value to the company's success. Your audit work should focus on areas relevant to the company's mission. You need to engage trained professionals who apply critical thinking and curiosity to identify improvements. Above all, you must be committed to making it as easy as possible for your audit customers to work with your teams.

What I've outlined today represents not only my perspective on how the Internal Audit and GRC industry will evolve, but also my vision for strengthening our industry through the Internal Audit Collective.

Through our online community and training programs, we will highlight best practices and lessons learned for building and managing modern SOX programs and Internal Audit teams—ones that consistently exceed stakeholder expectations.

And together, as a Collective, we will develop, refine, and mature a playbook that enables many to lead their organizations forward through Connected Risk.

For those who are interested, you can learn more and register to become a Founding Member of the Internal Audit Collective here.