Skip to main content
Contact Us
Search
Weaver Connect
Payment Portal Client Login Weaver Alumni
Home    /    Insights & Resources

Beyond the Benchmarks: 2025 IIA Pulse Report Insights and the Future of Internal Audit

Article
The 2025 IIA Pulse Report signals a turning point for internal audit. Explore the emerging trends, challenges and future of internal audit.
8 minute read
April 23, 2025
David Lange
David Lange
Director, Risk Advisory Services

Related

Never miss a thing.

Sign up to receive our insights newsletter.

Subscribe

Business, Technology, Internet and network concept

Each year, the Institute of Internal Auditors (IIA) publishes the North American Pulse of Internal Audit (the Pulse) report. The report offers a statistical snapshot of the internal audit profession: trends, shifts and new responsibilities illustrated with tidy graphs and key findings. While the 2025 report is packed with the traditional valuable data and insights, the real value lies between the lines.

After reading the 2025 Pulse report closely, you may notice that something deeper and more critical is happening. This year’s data doesn’t only describe the profession’s current state but also signals a turning point. This turning point isn’t a slow drift toward modernization but rather a pressure-cooker moment of convergence between strategy, technology, talent and expectation.

We explore some key findings and inferences about what the Pulse report didn’t directly say, and what internal audit departments should start doing, starting now.

What the Report Didn’t Say But Clearly Shows

Internal audit is becoming a hybrid risk advisory powerhouse

The data clearly shows that internal audit functions are being pulled in more directions. Almost 90% of Chief Audit Executives (CAEs) have responsibilities outside of internal audit, including fraud (47%), Sarbanes-Oxley Act (SOX) compliance (36%) and ethics (33%). Also, nearly 33% of CAEs are now accountable for enterprise risk management (ERM), up from 24% nine years ago.

At the same time, CAEs are pushing to increase advisory services in their portfolios from 25% to 40%. In other words, they don’t only want to audit — they want to shape strategy and operations proactively.

This blend of assurance and advisory isn’t just a service mix. It is a structural transformation. The traditional Three Lines Model is being blurred. Internal audit is increasingly part risk advisor, part watchdog and part business partner.

The report’s unspoken theme: Internal audit is evolving into a hybrid risk advisory function, and that shift demands new models, metrics and mindsets.

Technology readiness is the profession’s silent vulnerability

About 92% of CAEs believe that data analytics is crucial to internal audit’s future, but only 28% say their functions have “high or advanced” data capabilities. Nearly 41% of CAEs are using Generative Artificial Intelligence (GenAI), indicating an increased use, yet most auditors are not equipped to provide assurance or guidance on GenAI. Advisory services related to GenAI lag even further behind.

This can create a serious gap. Internal audit is being pulled into evaluating, advising on or even overseeing areas it doesn’t yet understand well enough.

The report’s unspoken theme: One of the biggest risks facing the profession may not be external. It may be our own technical unreadiness.

Expectations are surging, but capacity is not

Funding remains flat or modestly improved. Staffing is slowly ticking upward post pandemic, but it is not in line with demand. About half of all CAEs say their functions are underfunded, even as their scope continues to grow. This disconnect is sharpest in public sector and not-for-profit organizations but is visible across all industries.

Meanwhile, expectations are accelerating for tech integration, advisory growth and strategic alignment.

The report’s unspoken theme: Internal audit is heading toward a capacity crisis unless it retools both its case for funding and the way it delivers value.

The profession is in cultural transition

Millennials now account for a rising share of leadership, and their fingerprints are already visible. They are leading the charge on GenAI adoption with a 52% use rate vs. 40% for Generation X and 31% for Baby Boomers. Gender balance is also improving, with women now comprising 47% of CAE roles.

This generational and cultural shift will also shape how internal audit works, including its tools, tone and tolerance for ambiguity.

The report’s unspoken theme: Internal audit isn’t just evolving — it is being inherited by a new generation with different instincts and priorities.

What to Do Now? Six Steps for Internal Audit

Being future focused and attaining sustainable growth will require more than making minor adjustments. Based on the 2025 Pulse data and these emerging themes, forward-thinking CAEs and internal audit functions need to consider taking bold actions concretely and urgently.

1. Redesign the audit operating model around modern risk: The traditional audit plan, aligned to business units or compliance areas, is no longer enough.

Actions to consider:

  • Organize into cross-functional squads centered on risk domains, such as digital, third-party, sustainability, GenAI and culture.
  • Carve out explicit time and resources for advisory services. For example, transform talks about shifting from 25% to 40% advisory into action by building it into capacity models, key performance indicators (KPIs) and charters.
  • Embrace agile audit planning. Update risk priorities quarterly, not annually.

Why it matters: The work is changing faster than the structure. If you don’t align the model with modern realities, you may risk becoming irrelevant.

2. Launch a technology competency offensive: Internal audit can’t audit, advise on or oversee what it doesn’t understand.

Actions to consider:

  • Implement mandatory upskilling across all levels, beginning with data analytics, progressing to GenAI literacy and finally, closing with process automation.
  • Assign tech fluency metrics in performance reviews.
  • Appoint a “tech champion” or form a GenAI task force to lead strategy, controls evaluation and education both internally and for other functions.

Why it matters: Without technical fluency, internal audit may not only struggle to add value but also actively become a risk to itself.

3. Reframe budget requests around value protection: Traditional asks, such as “we need more staff to cover more audits,” no longer efficiently address problems.

Actions to consider:

  • Link funding to enterprise value preservation: cyber resilience, fraud prevention, strategic project assurance and real-time insight.
  • Use data from the 2025 Pulse report to show that strategic alignment correlates with better funding and performance.
  • Present audit as a risk navigator and innovation enabler, not a box-checker or compliance cost.

Why it matters: Executives fund what they fear or value. Internal audit needs to frame itself as both a protector and multiplier.

4. Build a generationally fluent and culturally nimble team: The Pulse report indirectly hints at a generational and gender evolution and shift. Make this a strategic focus.

Actions to consider:

  • Identify your future leaders and empower them. In addition to mentoring them, learn from them.
  • Balance succession planning with succession activation. Millennials and Generation Z want impact, not a long waiting period.
  • Let younger leaders pilot new methods: agile, tech-forward auditing and cross-functional advisory work.

Why it matters: Culture is strategy’s delivery system. Generational fluency is a performance imperative.

5. Use outsourcing as a capability builder, not a crutch: More than 70% of functions outsource something, especially cybersecurity, SOX and information technology (IT). However, outsourcing can create knowledge gaps unless carefully managed.

Actions to consider:

  • Establish cosourcing agreements with structured knowledge transfer provisions.
  • Prioritize surgical outsourcing and target areas where in-house development is impractical, such as GenAI algorithm audits.
  • Create a “build vs. buy” matrix based on strategic priorities, not just cost.

Why it matters: If executed properly, outsourcing can expand reach. If executed incorrectly, it can hollow out core competence.

6. Shift from static risk registers to real-time risk narratives: Most audit plans still revolve around operational, compliance and SOX risks. While this is necessary, it is also insufficient.

Actions to consider:

  • Add a quarterly “emerging risk council” to reassess audit priorities.
  • Align your reporting to external events: regulatory shifts, tech incidents, supply chain volatility.
  • Move toward risk storytelling: what’s unfolding, why it matters and what it means for business objectives.

Why it matters: Executives often ignore static risk charts. They act on compelling narratives tied to strategic urgency.

Key Takeaways: Disruption is Alive and Well

While the 2025 Pulse report may not directly say, “disruption,” it is persistently implied, revealing what is clearly written between the lines:

  • Internal audit wants to be more strategic but needs new tools to get there.
  • CAEs are embracing advisory and innovation but with limited resources.
  • The profession is transforming demographically and technologically but not always intentionally.

To thrive in the next decade, internal audit will be challenged to redesign its function, reimagine its skillset and reassert its strategic value. The report gives us the signals and encourages leaders and teams to respond with bold moves, not just safe ones. Let Weaver help prepare your business for the future with tailored guidance and support on transforming your internal audit function. Contact us today.

©2025