From assurance to advisory: The shift boards are asking internal audit teams to make
One European CAE saw demand for internal audit advisory services consume more than half of his annual plan in 2026. Two years earlier, the split was 80% assurance and 20% advisory. That is not an incremental change. It is a fundamental rebalancing of what internal audit does and how it delivers value.
The shift is not happening in isolation. Risk in Focus 2026 research from the IIA and ECIIA, based on surveys of more than 4,000 Chief Audit Executives globally, shows that boards and management are actively driving the change. They want CAEs to share knowledge on emerging and interconnected risks, offer constructive challenge on strategic decisions and provide advisory input on the viability of new commercial initiatives.
The question for most internal audit functions is not whether to make this shift. It is how fast they can get there.
Why boards are pushing internal audit toward advisory services
The 2024 IIA Global Internal Audit Standards define internal audit's mission as strengthening the organization's ability to create, protect and sustain value by providing independent, risk-based and objective assurance, advice, insight and foresight. Those last two words have become the focal point for boards operating in a volatile risk environment.
The pace of change is the primary driver. Geopolitical disruption, AI adoption, tariff instability and talent shortages do not wait for quarterly audit committee cycles. Boards need real-time intelligence, not retrospective assurance on last quarter's controls.
Richard Chambers, Senior Internal Audit Advisor for AuditBoard, made this point directly in the Risk in Focus 2026 North America research: internal auditors need to have frank and candid conversations with executive management and the board about the current environment and educate them on what internal audit can do to help navigate it.
The challenge is that most board members will not naturally think of internal audit when a new strategic risk emerges. As Chambers noted, very few executives are going to think that tariffs are changing three times a day and decide to call internal audit. That means the initiative has to come from the audit function itself.
What internal audit advisory services look like in practice
Advisory work in internal audit is not consulting in disguise. It is the application of the same independent, risk-based perspective that underpins assurance work but directed at emerging risks and strategic decisions rather than historical controls.
The Risk in Focus 2026 research provides concrete examples of what this looks like across industries:
- Supply chain resilience (utilities): At a Wisconsin-based utility company, the audit team shifted away from routine audits and started reviewing risks in construction, procurement and strategic resource alliances. Audit Manager Andrea Klubertanz explained in the research that her team focused on thinking more strategically because that is what their stakeholders and audit committee wanted to see.
- Geopolitical risk monitoring (retail): At an international clothing retailer in North America, geopolitical uncertainty became a top enterprise risk. Internal audit stepped up its advisory work to keep management informed about tariffs and military actions affecting suppliers.
- Innovation and product launches (consumer goods): A CAE at a global European drinks company described providing advisory services on the business's approach to innovation, product launches and marketing. He positioned his role as providing assurance that the business division was sufficiently in control of achieving its strategic objectives given available resources.
- Cross-functional risk teams (multiple sectors): The North America research described an "all-hands-on-deck mentality" in organizations, with internal auditors joining teams alongside IT, ERM and executive management to address emerging threats.
The assurance-advisory balance: getting the split right
The shift to advisory does not mean abandoning assurance. Boards still need independent validation of controls, processes and compliance. The question is what proportion of the audit plan each activity occupies and whether the balance reflects the current risk environment.
| Approach | Focus | Board value |
|---|---|---|
| Traditional assurance | Historical controls, compliance testing, process validation | Confirms what happened and whether it was controlled |
| Advisory services | Emerging risks, strategic decisions, governance of new initiatives | Informs what should happen next and whether the organization is positioned for it |
The European CAE who moved from 80% assurance to 45% did not stop providing assurance. He rebalanced to match the speed of risk change in his organization. The key principle is that the split should be driven by the organization's risk profile, not by habit.
How to position your function for the advisory shift
CAEs who have successfully expanded into advisory services in the Risk in Focus 2026 research share several common approaches:
- Proactive engagement. They do not wait for the board to ask. They identify emerging risks and bring insight to the table before being invited.
- Strategic language. They frame findings and advice in terms of business impact and strategic objectives, not audit methodology.
- Constructive challenge. A UK risk consultant at the European roundtables made the point that one of the sub-components of strategic risk is groupthink. CAEs should ask what arrangements the board has made to ensure such thinking does not contaminate the strategic formation process.
- Relationship investment. IIA Executive Vice President Benito Ybarra noted that internal auditors have a significant opportunity to engage board members and senior leaders to make sure they understand what internal audit can do to help organizations thrive. That engagement happens outside formal meetings, not just during them.
The audit functions that lead will be the ones that moved first
The data from Risk in Focus 2026 is unambiguous: the demand for internal audit advisory services is growing and it is being driven by the board, not by the audit function alone. CAEs who recognize this and rebalance their plans accordingly will position themselves as strategic partners. Those who do not risk becoming less relevant at the exact moment when their expertise is most needed.
For the full framework on how to bridge the gap between what boards want and what internal audit delivers, Ideagen's guide, Bridging the gap: How Internal Audit teams can have more productive conversations with the board, covers the complete picture.
Sources: Risk in Focus 2026, North America (IIA/Internal Audit Foundation, 2025); Risk in Focus 2026, Europe (ECIIA, 2025); IIA Global Internal Audit Standards, 2024.
Bridging the gap: Productive conversations with the board
Explore internal audit solutions
Get more value, more audits and more flexible workflows from your internal audit software.
Noor serves as an experienced Marketing Executive within Ideagen's comprehensive software portfolio. She specializes in making complex compliance and EHS concepts accessible to everyone, turning industry jargon into clear, compelling stories. Passionate about bold, innovative marketing strategies, Noor works to elevate brand identity and connect organizations with smarter ways to manage risk and regulatory change.
