8 April 2026 · Bilal Afzal
Audit committees have changed what they ask of internal audit. The question is no longer only "what did you find?" but "what should we be worried about, and are we ready?" Meeting that expectation takes a deliberate shift in how the function operates.
A board-ready function organises its plan around the organisation's most significant risks and tells the committee plainly where assurance is strong, thin, or absent. Coverage for its own sake is noise.
Reporting should answer "so what?". Group issues by theme, connect them to the risks the board cares about, and be explicit about residual risk. A clear one-page summary earns more influence than a long appendix.
Data analytics, technology risk and a working grasp of the business model are no longer optional. The strongest functions invest in these capabilities before a crisis forces the issue.
Credibility is built in the quiet periods — through reliable delivery, candid conversations, and a track record of being right about what matters. By the time the committee convenes, trust should already be in place.
None of this requires a larger team. It requires a sharper sense of purpose, and the discipline to apply it. That is usually where an outside perspective helps most.