This article is Part 4 of Achieving Audit Leadership Through Analytics and AI, a 6-part series co-written by The Internal Audit Collective and Supervizor to help audit leaders move from findings to business ownership.
Missed the beginning of the series? Catch up here:
Here's something Tom O'Reilly of the Internal Audit Collective has observed across audit programs at every maturity level: business leaders generally like the work internal audit does. What they don't like is what happens after.
There's a conversation that plays out in internal audit departments across every industry, every year. A business leader pulls the CAE aside before fieldwork begins and says some version of this: "We'd genuinely love your help here – but is there any way we can keep this informal?".
Because once findings travel up the governance chain in a formal report – to the CFO, the audit committee, whoever sits at the top of oversight – the context disappears. The vendor exception the team was already resolving. The approval gap that had been flagged internally three weeks prior. The process breakdown that occurred under unusual circumstances and had already been corrected. None of that nuance survives the typical audit report. What does survive is their name, attached to a documented problem, in a document that will live in someone's file indefinitely.
Most audit leaders nod when they hear this. Few take the right lesson from it. The lesson isn't that you should write fewer reports. It's that the audit report has become the primary – often the only – artifact of your relationship with the business. When that's true, the relationship will always be guarded: from the moment business leaders know you're coming, they're managing their exposure, sharing selectively, and keeping their real concerns close. That posture limits audit's value far more than any coverage gap. It's the structural barrier between audit-as-assessor and audit-as-advisor – and it's what the best CAEs in 2026 are actively dismantling.
The teams winning in 2026 aren't producing more reports. They're producing more conversations.
The Report Is Not the Problem
Let's be clear upfront: none of what follows is an argument for reporting less. The audit committee needs unfiltered access to findings. Top management needs to see that audit is finding things. The governance infrastructure the report serves is legitimate and non-negotiable. The CAE who softens findings to protect business relationships has made the wrong trade.
But Tom puts the business leader's experience plainly: "Audit reports are airing people's dirty laundry." That's not a critique of the profession. It's an accurate description of how the format lands on the receiving end. You wrote a professional assessment. The business leader read a verdict. You documented what you found. They experienced being exposed to their leadership chain without context or warning. The same document carries two completely different meanings depending on which side of the table you're sitting on.
There's a structural tension that skilled CAEs learn to navigate explicitly. Top management and the audit committee need to see that audit is doing its job. That's non-negotiable. But the business leaders who actually own the processes – the head of global AP, the VP of operations, the regional finance director – want something different: help without the spotlight. The question is whether those two things can coexist. They can. But only if you stop treating every finding as a report item and start making active, deliberate judgments about what genuinely requires escalation versus what can be resolved through a direct professional conversation before the draft is finalized.
Here's the reality check worth sitting with: Tom estimates roughly 20% of audit functions are actively making positive movement toward a genuine advisory posture. The other 80% want to get there – they've said so at conferences, updated their audit charters, had the right conversations with their CFOs – but when you examine the actual audit plan, it's still predominantly compliance testing and traditional assurance work. That gap isn't about aspiration. It's about what the reporting relationship has made possible. You can't be an advisor to people who are managing their exposure around you.
Three Ways Audit Creates Value Without a Report
1. Data-Driven Risk Assessment as a Service
When most audit teams think about what analytics does for them, they think about coverage: testing 100% of the transaction population instead of a sample. That's the first horizon. The second horizon is efficiency – freeing your team from weeks of manual matching so capacity shifts toward analysis rather than reconciliation. Both matter. But the third horizon is where the advisory relationship actually begins: using data to generate perspectives the business doesn't already have.
Picture arriving at a pre-audit planning meeting with a CFO and showing her that AP concentration risk has shifted materially toward three vendor categories over the past 18 months – and that two of those categories correlate with fraud patterns at peer companies in the same sector. The audit hasn't started. There's no finding. It's a service: an insight the CFO didn't have, assembled from transaction-level data, delivered at a moment when the business can still act on it rather than receive it as a verdict after the fact.
That shift – arriving with insight rather than arriving to investigate – changes the dynamic entirely. You're no longer the function that shows up to find problems. You're a source of organizational intelligence that no other internal function is generating. Finance doesn't have this view. Operations doesn't. Compliance doesn't. Business leaders make time for people who bring them useful things. Analytics is what determines which category you fall into.
2. Connecting the Dots Across the Organization
The CAEs who command genuine advisory relationships share a quality that shows up consistently: they're unusually well-connected, and that connection is active, not passive. It feeds value in two directions simultaneously.
Inside the organization, audit is unusually well-positioned to see the same process running across multiple geographies, business units, and leadership teams at the same time. Shared services and data teams can have this view too – but they're typically absorbed in operational demands that leave little room to surface comparative insights. When procurement in one region achieves a 97% on-time approval rate and a comparable region runs at 61%, audit is often the only function with both the visibility and the bandwidth to notice. . No individual business owner is positioned to notice it. You can see it. That cross-silo visibility becomes advisory leverage when you bring the comparison into the right conversation – not as a finding, but as a question worth exploring together: "Have you seen what's driving the difference between how these two teams operate?" That question positions you as a strategic thinker. It opens a conversation. It earns trust.
Outside the organization, the well-networked CAE brings back what peers are doing. How are leading audit functions structuring AI governance? What's emerging around third-party concentration risk in global supply chains? What did comparable teams learn after their first year of continuous monitoring? CAEs who are deeply connected to their industry and peer communities return from those conversations with specific, credible examples that no internal function can generate alone. That external perspective, shared at the right moment with the right business leader, positions audit as a source of competitive intelligence rather than compliance pressure.
When both directions compound over time, the results can surprise you. Take a Fortune 200 manufacturer in Michigan. Their CAE started with procure-to-pay analytics across dozens of global entities – duplicate payments, vendor master data issues, approval exceptions. They brought results directly to local AP managers, who started investigating and fixing root causes themselves. Then the finance organization took notice. They had the same underlying struggle: accessing their own ERP data, building dashboards, tracking process trends over time. So the CAE started sharing the tools with finance. The program is now expanding into tax and treasury – helping finance teams get the visibility they've always needed into their own processes.
3. Advisory on Process and Control Design for Emerging Risks
This is where audit has its clearest competitive advantage – and where most teams leave the most value untouched.
When a process doesn't yet exist, there's nothing to audit. AI governance frameworks at most organizations are still being drafted. Controls for a newly entered market have no testing history. A just-closed acquisition carries a control infrastructure that reflects two separate companies, not an integrated one. You can't audit what hasn't been built. But you can advise on how to build it right.
The COSO Internal Control – Integrated Framework gives audit a vocabulary for these conversations that no other internal function holds as fluently. Control environment, risk assessment, control activities, information and communication, monitoring – audit can take any emerging risk or new initiative and translate it into a practical control design conversation. When a CTO asks how to structure AI governance, you can walk through all five components and help map out a build sequence for a program that doesn't yet exist. That's not audit forcing a framework where it doesn't belong. It's audit helping a business leader structure a problem they've never solved before, using the function that has spent decades thinking systematically about what good control design actually looks like.
Some teams are making this structural rather than opportunistic. One CAE at a global industrial company reorganized the audit function this year into two distinct streams: a traditional audit plan covering established risks, and a dedicated strategic pillar assessment aligned to the company's five declared priorities – improving margins, integrating a recent acquisition, managing supply chain exposure, and two others tied to their commercial roadmap. For each pillar, the team's mandate was to assess the key risks of not achieving the objective, not just the control deficiencies in the current process. That's a fundamentally different posture. And it's the posture that earns a seat at planning conversations, not just findings conversations.
What Makes the Handoff to Advisory Work
The easy answer to what enables advisory relationships is expertise. The accurate answer is discretion – and most CAEs underestimate how much it matters.
Business leaders will come to you informally, before problems surface, only if they believe you know what requires escalation and what can be resolved through a direct professional conversation. They need to trust that you understand the difference, and that you'll apply it reliably – that you're not going to treat every informal exchange as a finding in preliminary form. Good CAEs hold both things at once: the rigor that makes the governance track credible, and the judgment that makes the relationship track possible.
That trust builds in two places:
- First, through the sustained quality of audit work itself. When your findings are well-supported, your risk assessments credible, and your recommendations practical rather than theoretical, business leaders learn that engaging with audit produces something they can actually use. They stop managing exposure and start inviting you in.
- Second, through how you communicate findings when you do have them. The CAE who calls before the report lands – not to soften it, but to share context and thinking first – earns a different position than the one whose report arrives cold. That proactive call is evidence of professional judgment. It tells the business leader: you're a peer, not just a process.
The clearest leading indicator of advisory status is behavioral and specific: business leaders are calling you before problems surface. Not during an audit. Not after a finding. Before. They've started something new and want your perspective on the risk implications before they're committed. They've noticed something unusual in their own data and want a sounding board who won't route it directly into a formal process. They're navigating a situation with control implications and want to think it through with someone they trust.
That inbound pattern is the real measure – not recommendation acceptance rates, not audit committee satisfaction scores. Those are lagging indicators of work already completed. The leading measure is how often the business brings you problems they haven't yet framed as findings.
If you're in the 80% still working toward that posture, the path runs through the same sequence regardless of where you're starting:
- building the analytics foundation (Article 1)
- making it repeatable (Article 2)
- then handing continuous monitoring to the business (Article 3).
The advisory posture described here is what becomes available on the other side of that foundation.
What Does the Future of Internal Audit Look Like?
The profession is moving faster than most audit plans reflect.
AI-native analytics are already automating the majority of traditional transaction testing. Duplicate detection, three-way matching exceptions, approval threshold violations, reconciliation gaps – these are increasingly solved problems. Technology handles them at scale, more consistently than manual review, at a fraction of the cost. That creates a question every audit leader should be sitting with seriously: when AI handles the routine testing, what is internal audit actually for?
There are two honest answers to that question. For teams that haven't built advisory relationships, haven't freed capacity through automation, and haven't established themselves as strategic partners to the business, the answer is uncomfortable: the assurance work that defined their role is being automated away, and they haven't yet built the alternative. For teams that have done the foundational work, the answer is clarifying: the assurance infrastructure is handled, and what's left is the work that actually requires human judgment, organizational context, and trusted relationships.
The near-term structural opportunity is combined assurance – connecting internal audit, compliance, enterprise risk management, and IT risk into a coordinated view of organizational exposure rather than four separate functions running parallel assessments, reporting through separate channels, duplicating coverage, and occasionally contradicting each other. Internal audit is currently the only function actively thinking about how to build those bridges. Compliance is siloed into regulatory response. ERM operates at a strategic altitude that doesn't always connect to operational control reality. IT risk is technically deep and organizationally narrow. Audit has the independence, the cross-functional process visibility, and the governance relationships to convene a conversation none of the others can.
That window won't stay open indefinitely. As AI continues to automate assurance work, every second-line function will be forced to reconceive its role. The function that moves first to build an integrated risk governance architecture will own the model that emerges from that reconception.
For CAEs who have already navigated the analytics transition with rigor, the next horizon is something larger: serving as AI advisors to the business itself. When a CFO is working through how to structure AI-assisted finance controls, she'll turn to whoever in the organization has done that work with discipline and practical judgment. If your team has built a mature analytics program, proven it at scale, transferred continuous monitoring ownership to the first line, and developed genuine advisory relationships with business leaders – you're positioned to be that reference point. Not because you're advocating for audit's seat at the table. Because you've done the work and have something worth teaching.
The next two articles in this series explore where this trajectory leads: an audit function that has automated the routine, transferred operational monitoring to the business, earned genuine advisory relationships with leadership, and is now positioned to lead the enterprise risk governance conversation organizations most urgently need. That's not the audit function most CAEs inherited. It's the one the next decade requires – and for teams willing to start now, the distance to get there is shorter than it looks.
.jpg){kind=icon}