As internal audit functions adapt to AI, real-time risk monitoring, and increasingly complex regulatory demands, their role is expanding well beyond traditional controls testing. In this Q&A with ProSight Financial Association, Eleanny Wernecke, a Partner in Oliver Wyman’s Risk & Finance Advisory practice, discusses how audit is becoming a more dynamic, technology-enabled, and strategically engaged function. She shares her perspective on the evolving relationship among audit, risk, and the business, as well as the skills auditors will need to remain effective in an AI-driven environment.
ProSight: How would you describe the evolving mandate of internal audit?
Wernecke: Internal audit is evolving from a function that primarily checked controls into a more dynamic, forward-looking, and technology-fluent organization. Historically, audit focused on validating existing controls, testing whether they operated effectively, and reporting findings. While that remains a core responsibility, today’s environment is moving much faster due to AI, agentic workflows, real-time payments, third-party ecosystems, cyber threats, and geopolitical uncertainty. As a result, internal audit must become faster, more agile, and more fluent in emerging risks involving technology, data, and governance. The future of internal audit is about delivering assurance that is broader, faster, and more relevant to how the business operates.
ProSight: Is internal audit becoming more involved earlier in business processes?
Wernecke: Yes. Organizations increasingly recognize that it is in everyone’s interest to involve audit earlier. When auditors gain visibility into initiatives during development, they can provide insights on where controls may fail and help organizations make better decisions as they design processes or strategies. The goal is to prevent audit from becoming a roadblock at the end of a project. Many audit functions now participate as observers in key meetings and conduct advisory reviews, where they share best practices and insights without compromising their independence.
ProSight: What does this advisory role look like in practice?
Wernecke: Audit’s advisory role is focused on controls and risk management rather than business strategy, maintaining its independence. For example, auditors may review draft policies, procedures, or control frameworks before they are finalized. By providing insights on leading practices, audit can help strengthen controls before implementation rather than identifying issues after the fact. The business ultimately decides how to proceed, preserving audit’s independence while benefiting from its expertise.
ProSight: How does audit evaluate decisions that involve subjective judgment?
Wernecke: Auditors do not make business decisions; they evaluate whether those decisions were made under the right governance and control frameworks. Audit focuses on whether decisions fall within the organization’s risk appetite, whether proper governance processes were followed, and whether the required approvals and authority levels were observed. The role of audit is to assess the quality of the controls and governance surrounding the decision, not the business decision itself.
ProSight: How does internal audit interact with boards and executive leadership?
Wernecke: Internal audit reports directly to the board audit committee, which is composed of independent board members. Audit plans, findings, and reports are regularly shared with the board, and the annual audit plan is approved by the audit committee. Chief audit executives are often invited to business board meetings, especially when major acquisitions, new products, or other strategic initiatives are under consideration. Their role is to provide an independent perspective on the organization’s control environment and risk management practices.
ProSight: How has the traditional audit cycle changed?
Wernecke: Traditionally, audit functions operated on a three- to four-year audit cycle, with reviews scheduled according to the risk profile of various business units. Today, organizations are moving toward continuous monitoring and continuous risk assessment. Rather than relying solely on annual planning exercises, leading organizations are updating risk inputs in near real time. They use operational metrics, media monitoring, market intelligence, and natural language processing tools to identify emerging risks and dynamically adjust audit plans as conditions change.
ProSight: Is this shift primarily driven by technology?
Wernecke: Technology is an important enabler, but the transformation is not driven solely by technology. Auditors are also spending more time in the field, building relationships with stakeholders and developing a deeper understanding of the business. Their expert judgment, awareness, and interactions help identify emerging risks that technology alone may not capture. Business knowledge and strong relationships remain essential components of effective auditing.
ProSight: How is the relationship among the three lines of defense evolving?
Wernecke: The three lines of defense model remains effective, but historically each line developed its own processes, data repositories, and methodologies. That created fragmentation, duplication of effort, and inefficiencies. Organizations are now working toward greater alignment through shared risk taxonomies, coordinated planning, and common foundational data. The challenge is that internal audit can only rely on work performed by risk or compliance functions after first determining that those functions are sufficiently robust and effective. Regulators have been very clear about the standards required before audit can place such reliance on another function’s work.
ProSight: What role does audit play from a regulatory perspective?
Wernecke: Audit is the third line of defense within an organization, but in many ways it serves as the first line of defense for regulators. When regulators conduct examinations, they frequently begin by reviewing internal audit’s work, findings, and perspectives. Internal audit helps regulators understand where risks may exist and where further attention may be needed. Because regulators rely heavily on audit, they also closely examine audit’s methodology, coverage, staffing, and capabilities to ensure the audit function itself is effective.
ProSight: How automated is the audit function today?
Wernecke: Automation opportunities vary depending on the type of activity. In areas with abundant data, such as compliance monitoring, transaction surveillance, payments integrity, and underwriting, technology enables more automation and real-time reviews. Other areas, such as credit underwriting and model risk management, require significant human judgment and subject matter expertise. As a result, organizations need a balance between automated monitoring and expert-led assessments.
ProSight: How is AI reshaping the skills auditors need?
Wernecke: AI is expanding the skill set auditors require across three distinct but complementary skill areas. First, auditors need the capabilities to audit AI itself. This includes understanding AI governance, controls, model risk, regulatory expectations, data quality, and the unique risks associated with AI systems. Second, auditors must become AI-native practitioners. Beyond auditing AI, they need to leverage AI to transform how audit work is performed. And third, auditors will need stronger advisory capabilities to create value in an AI-native organization. As routine activities become increasingly automated, auditors are expected to become trusted advisors who help the business navigate emerging risks, strengthen governance, and enable responsible innovation. Developing these capabilities requires more than technical training. Organizations are investing in continuous upskilling, hands-on experience, and cultural change to help existing professionals build new habits while also recruiting talent with the diverse skills needed for the next generation of internal audit.
ProSight: Will AI reduce the need for junior auditors?
Wernecke: That is not what we are seeing today. Organizations are largely using AI for activities such as report writing, document review, and other time-consuming administrative tasks. These tools free auditors to focus on higher-value activities and broader coverage. What is changing is the profile of entry-level talent. Future auditors will need stronger capabilities in working with unstructured data, operating AI tools and agents, and engaging effectively with the business. The role is evolving, but the need for talent remains.
ProSight: What risks or disruptions could fundamentally reshape audit in the years ahead?
Wernecke: AI adoption is already reshaping the profession by changing both the way organizations operate and the way auditors perform their work. Beyond AI, the migration from legacy systems to cloud environments and the growing importance of third- and fourth-party risk will significantly influence audit priorities. Overall, audit is becoming more central, more dynamic, and more proactive. The future of audit is less about reacting to issues after they occur and more about identifying risks before they emerge. In short, audit is moving from a reactive function to a preemptive one.