In a recent article for AuditBoard, I shared 10 lessons I have earned in my 50 years on the (internal) audit trail. Number 3 on the list was “Follow the Risks – but Remember That Risk is a Moving Target.” Never has that been truer than in 2025!

When most internal audit departments crafted their 2025 audit plans in the final months of 2024, they did so with the best risk intelligence available at the time. Yet, as the first quarter of 2025 unfolded, internal auditors were once again reminded of the harsh reality that planning in an “era of permacrisis” is an exercise in humility. Within the first 100 days of the Trump administration’s return to power on January 20th, sweeping policy changes on tariffs, immigration, deregulation, and international relations introduced new, high-velocity risks that few had fully anticipated. These actions created 2nd and 3rd order risks that threaten recession, inflation, or both. While some of the 1^st quarter events primarily impacted Americans, others disrupted risks risk assessments around the world.

In a recent survey I conducted of internal auditors, 18% reported a significant impact to their audit plans caused by macroeconomic and geopolitical events in early 2025. Another 41% reported a moderate impact. That means nearly 60% of internal audit functions were forced to revisit or reconsider portions of their original audit plans in just the first quarter of the year. Only 38% reported no impact — a figure that likely reflects either extraordinary resilience or under preparedness to pivot in response to risk volatility.

The Era of Permacrisis: A Challenge to Traditional Planning

The term “permacrisis” has become a defining label of the 2020s, describing a prolonged period of instability, volatility, and overlapping threats. For internal auditors, this reality renders static annual planning models insufficient. The risks that many departments identified in Q4 2024 — cybersecurity threats, regulatory compliance, supply chain dependencies — remain relevant, but their shape, urgency, and interaction with other risks have changed dramatically in just a few months.

Several high-profile developments underscore this point:

• Tariff shocks on American imports from China, Mexico, and the European Union have upended cost structures for manufacturers and retailers.
• New immigration policies have disrupted labor availability in key sectors, especially agriculture, logistics, and healthcare.
• Deregulatory executive orders have left compliance and ESG-focused audit areas in flux.
• Geopolitical escalations, particularly in Eastern Europe and the Taiwan Strait, have reintroduced supply chain fragility and uncertainty.

Each of these developments has altered the risk landscape so significantly that internal audit plans built just months ago now risk being misaligned with organizational priorities.

Why Risk Velocity and Volatility Matter

What sets early 2025 apart is not just the emergence of new risks, but how quickly those risks escalated. Internal auditors have long assessed risk based on likelihood and impact — but today, risk velocity (the speed at which a risk materializes and causes harm) and risk volatility (the unpredictability of a risk’s behavior and interdependencies) are just as critical.

The swift imposition of tariffs, for example, led companies to revise pricing strategies, supply chain arrangements, and capital expenditure plans within weeks. The traditional audit response — waiting for issues to appear in financial reports or operational metrics — is too slow. Auditors must now identify emerging risks before they crystallize.

Recommendations for Internal Auditors: Navigating the Rest of 2025

To remain relevant and add value in this volatile environment, internal audit functions must become more dynamic, forward-looking, and risk-intelligent. Here are six recommendations:

1. Revisit the Audit Plan Now — and Again Each Quarter. The audit plan should be treated as a living document. Internal audit teams should schedule formal quarterly risk refresh meetings with executive leadership and risk owners. Use these check-ins to realign audit priorities with the most urgent and material risks facing the organization.
2. Integrate Real-Time Risk Monitoring. Adopt tools and processes that allow for near real-time tracking of geopolitical, economic, and regulatory indicators. This could include dashboards that integrate third-party data (e.g., tariff updates, policy announcements) or AI-based sentiment analysis to detect early warning signs.
3. Enhance Stakeholder Dialogue. Internal auditors must remain plugged into the strategic concerns of the C-suite. Increased engagement with the CFO, General Counsel, Chief Risk Officer, and operating leaders is essential. Ask targeted questions: What decisions are keeping you up at night? What assumptions are you rethinking this quarter?
4. Focus on Scenario-Based Auditing. Scenario planning is no longer just a strategy exercise — it should inform the audit universe. For example, if tariffs on Asian goods escalate further, what risks emerge for procurement, inventory valuation, or customer pricing? Use plausible scenarios to identify vulnerabilities and pre-emptively address them in audit coverage.
5. Audit Organizational Resilience. Audit not just business processes, but resilience capabilities. How quickly can the company respond to policy shocks? Are crisis management protocols, communication channels, and supply chain alternatives in place and tested? Internal audit can evaluate the preparedness of key functions for fast-moving disruption.
6. Stay Agile — Structurally and Culturally. Agility is both a mindset and a structural design. Internal audit functions should build in reserve capacity (e.g., unallocated hours or flex staff) to pivot toward emerging issues. Additionally, embrace an agile auditing approach: shorter cycles, targeted engagements, and rapid reporting.

Final Thoughts: The Value of Inflexibility

The early turbulence of 2025 has demonstrated that while audit planning has traditionally been an asset, rigid audit plans are a liability. Organizations are navigating a risk environment where the half-life of relevance is shrinking fast. Internal audit functions that fail to adapt may find themselves auditing last quarter’s priorities while today’s risks go unaddressed.

Conversely, those who treat this as a clarion call — to rethink risk, revamp planning, and realign with the speed of change — will emerge as indispensable advisors to management and the board. The future belongs to those audit teams who can anticipate the unexpected and adjust before it’s too late.