Upskilling the Internal Auditor of the Future: Becoming a Risk Architect in an AI World
May is Internal Audit Month, a time for us to reflect on our profession and ask whether we are truly ready for the future. With artificial intelligence (AI) now firmly embedded across organisations, this question feels more relevant than ever before.
AI is no longer a concept on the horizon. It already influences and shapes how decisions are made, how controls operate, and how risks emerge across organisations. As internal auditors, we are right in the middle of this rapid change. As more of the processes we audit are driven by AI and as AI becomes integrated into our own audit work, from planning and execution to reporting, the question I often hear is whether AI will eventually replace internal auditors.
The real question, however, is whether we ourselves will evolve. Can we use AI to work smarter, while continuing to apply judgment, context, and professional scepticism where it truly matters?
Doing More, Not Just Faster
Internal audit teams today are under pressure with constrained headcount, faster digital change, and rising regulatory expectations. AI helps us respond by allowing us to do more with the same or even fewer resources.
AI can already automate data analysis, identify anomalies across large datasets, and standardise testing and audit workpapers. Even junior auditors can now run advanced analyses using simple prompts. This expands audit coverage and improves consistency and quality, but faster audits alone do not create value.
AI can highlight patterns, but it cannot explain why something happened, what it means for the organisations, or determine which risks are more critical. That remains our responsibility. Our role is no longer just to test transactions, but to step back and evaluate whether the overall risk and control design still makes sense and supports business objectives.
Analytics may flag outliers during our review of the procurement or expense testing but only professional judgement can assess and determine whether these are genuine control issues or simply changes in business activity. This is where the true value of the internal auditor lies.
Risk Has Changed, So Must Our Thinking
AI changes risk in a fundamental way. A poorly designed model does not just create a single error. It can replicate that mistake across many outcomes very quickly. Models can also deteriorate quietly over time as customer behaviour, market conditions, or fraud patterns evolve. This introduces less visible but systemic risks, including bias, data quality issues, and unclear accountability.
Because of this, internal audit must shift from transactional-level testing to lifecycle and system-level governance and oversight. We need to focus on how risks evolve across the full lifecycle of AI-enabled processes, not just at a point in time.
We should be asking:
- Before deployment: Is the data reliable and fit for purpose? Have bias, privacy, and ethical risks been addressed?
- During operation: Are outputs explainable? Is model drift monitored? Is ownership clearly defined?
- Over time: Do dashboards tell the full story? Are signals captured early enough for action?
From Executor to Risk Architect
Internal Audit Month is a timely reminder that our value does not come from volume or speed, but from the quality of our judgment.
As more execution work becomes automated, our role as internal auditors is shifting toward becoming Risk Architects. This means understanding how automated systems work end to end, identifying where they can fail, and assessing whether governance operates in practice as well as in design. This does not mean every internal auditor needs to become a data scientist. It does mean we need sufficient AI and data literacy to ask the right questions, challenge assumptions, and translate technical complexity into material business risk.
Skills That Matter Most
The internal auditor of the future therefore needs a balanced and evolving skillset:
- Basic AI and data literacy: Understanding how data flows through systems and where automation replaces human judgment.
- Risk and governance insight: Assessing ownership, accountability, and alignment with risk appetite and ethics.
- Critical thinking: Challenging outputs and identifying what is not being surfaced.
- Business insight: Linking AI and automation to operational, financial, and reputational impact.
- Clear communication: Translating complexity into messages that support decision-making.
- Curiosity and adaptability: Continuous learning in an environment of constant change.
Making Upskilling Practical
Upskilling is most effective when embedded into daily audit work, not treated as a separate exercise. This includes:
- Learning AI through real audit examples rather than theoretical training.
- Working closely with IT, Risk, and Compliance to understand how AI is governed in practice.
- Documenting limitations in AI-driven analytics and testing alternative explanations for anomalies.
- Using sandbox environments to experiment safely.
- Sharing insights, tools, and lessons learned across teams to build collective capability.
What Leaders Can Do
Internal Audit Month is not only about recognising the profession but also about shaping its future. As internal audit leaders, we play a critical role in defining what AI literacy means in practice, when specialist skills are needed, and how professional judgment should be applied.
We also need to model curiosity and healthy scepticism in equal measure. Performance measures should evolve accordingly, recognising quality of judgment, system level thinking, and clarity of communication, not just execution speed or volume. Progress should also be assessed by internal auditors’ confidence in AI concepts, whether audits are evolving towards lifecycle-based reviews, and whether messages to the Board are clear and decision focused.
The Human Edge
As automation becomes part of everyday audit delivery, speed and scale are no longer differentiators. What will remain critical is judgement.
AI will enhance how we work, but internal auditors enhance how organisations think, decide, and build trust. By combining technology with human insight, we move beyond reviewing controls to helping organisations build resilience, strengthen governance, and make better decisions.
Internal Audit Month reminds us that our relevance depends on continuous adaptation, sound judgement, and the ability to help organisations navigate uncertainty with confidence in an AI-enabled world.
Emily Lai is the Head of Business Risk Services at Grant Thornton Singapore, with extensive experience gained from Big Four accounting firms across the United States, Australia, Greater China, and the ASEAN region. She serves on the Board of Governors of The Institute of Internal Auditors Singapore.
