Chief audit executives are under increased pressure to provide assurance regarding risk management in 2025.

According to research conducted by Gartner, audit committees need more risk insight from audit to support the board’s oversight responsibilities as they relate to systemic governance issues and the highest impact emerging risks, including emerging legal and regulatory uncertainties, geopolitical and economic hurdles, and, in particular, the dual nature of AI as both a potential threat and a valuable business asset.

“2025 brings more high-profile risks and opportunities that are driving growing board focus on risk management, so CAEs need to be sure they are effective in helping the audit committee discharge its risk oversight responsibilities,” said Margaret Moore-Porter, vice-president and chief of research for the Gartner Assurance Practice. “CAEs typically get less than 30 minutes with the audit committee during formal presentations. They must quickly focus on the information the audit committee needs most: currently that relates to emerging high impact risks such as AI and any systemic governance issues.”

On AI specifically, Gartner highlights the difficulties that arise for internal audit due to the myriad ways in which risks can manifest, including behavioural risks, transparency risks and security and data risks.

“While most audit leaders accept it is important to cover key AI risks in the next 12 months, less than a quarter feel confident in their ability to do so,” Porter added. “To increase their confidence in providing assurance over complex AI risks, audit should collaborate with assurance partners to assess and prioritise AI risk coverage needs.”

To better support their organisations in managing and assessing AI risks, Gartner recommends that internal audit work with legal, compliance and risk teams to:

• Get organised for AI accountability and define enterprise practices;

• Discover and inventory all AI used in the organisation;

• Revisit and implement AI data classification, protection and access management;

• Implement technical controls to support and enforce policies; and

• Conduct ongoing governance, monitoring, validation, testing and compliance throughout the
whole process.

---