Internal auditors occupy a vantage point in the enterprise few others share. We often see risk as it emerges, not after its effects have become evident. We see where controls are strained, where governance is tested, and where culture either reinforces or undermines both.

That vantage point comes with an obligation. Not simply to report to management what has already happened, but to ensure the audit committee understands what it needs to know now.

Over the years, I have encouraged internal auditors to use their access to the audit committee with intention. In some cases, management filters or shapes what reaches the board. In others, important signals never rise to the surface at all. The result is the same. The audit committee frequently operates with an incomplete view of risk.

That is a failure of governance.

If internal audit is to serve as a trusted advisor, you must close that gap. Here are five messages that audit committees need to hear now.

1. Our Risk Assessment May Not Reflect Today’s Reality

Risk conditions are shifting faster than most risk assessments can keep up. Many organizations still rely on annual or semiannual processes that quickly become outdated.

You should be candid with the audit committee if your audit plan is anchored in assumptions that no longer hold.

• Emerging risks tied to AI adoption, cyber threats, and third party dependencies are evolving in real time
• Geopolitical instability and regulatory changes are creating second and third order impacts across supply chains
• Economic uncertainty is reshaping liquidity, pricing, and demand assumptions

If your audit plan does not reflect these dynamics, say so clearly. More importantly, propose how you will adapt.

Audit committees need assurance that internal audit is not simply following a plan. They need confidence that you are following the risks.

2. Management’s Risk Disclosures May Be Incomplete

One of the more difficult truths I have shared is that audit committees are sometimes misled not by outright falsehoods, but by omission.

Management may present a picture of control effectiveness that is technically accurate, yet incomplete. Issues may be framed as isolated when they are systemic. Emerging risks may be downplayed because they have not yet materialized.

Internal audit is often the only function positioned to see and say something about this pattern.

You should not hesitate to tell the audit committee when:

• Issues appear more widespread than management acknowledges
• Root causes are not being fully addressed
• Significant risks are being minimized or deferred

This requires judgment and courage. It also requires evidence. But when you see a disconnect between what management reports and what you observe, silence is not neutrality. It is acquiescence.

3. Resource Constraints Are Creating Blind Spots

Across the profession, I continue to see a troubling pattern. Risks are increasing, yet internal audit resources remain flat or, as is becoming more common, declining.

This is not simply a staffing issue. It is a risk coverage issue.

If your team lacks the capacity or capability to address critical risk areas, the audit committee needs to hear that directly from you.

• Are you unable to audit key areas such as AI governance, cybersecurity, or third party risk?
• Are audits being deferred or scoped down due to resource limitations?
• Do you lack specialized skills required to assess emerging risks?

These are not operational inconveniences. They are governance concerns.

Audit committees cannot fulfill their oversight responsibilities if they are unaware of gaps in assurance. You serve them best by making those gaps visible and by outlining what it will take to close them.

4. Culture and Tone at the Top Are Not Where They Need to Be

Culture remains one of the most significant drivers of risk, and one of the least effectively reported.

Internal audit has a unique lens into culture through your interactions across the organization. You hear what employees say. You see how decisions are made. You observe whether policies are followed in practice.

When culture does not align with stated values, the audit committee needs to know.

• Are employees reluctant to raise concerns?
• Do incentives encourage risk taking that exceeds the organization’s appetite?
• Is there evidence of a fear based environment where bad news is suppressed?

These signals rarely appear in dashboards or formal reports. Yet they often precede major failures.

Audit committees rely on internal audit to provide an unfiltered view of organizational culture. If you do not raise these issues, they may go unaddressed until they surface in far more damaging ways.

As with any communications to the audit committee, we should not surprise management by what we say. Be transparent with management about conversations that need to be had with the audit committee. It’s always preferable to have management blow the whistle – rather than us. But if management can’t or won’t, then we must have the courage to say what needs to be said.

5. The Organization Is Not Moving Fast Enough on AI Governance

Artificial intelligence has quickly moved from a theoretical risk to an operational reality. Yet governance has not kept pace.

Many organizations are experimenting with AI tools without fully understanding the risks they introduce. Data privacy, model bias, regulatory exposure, and decision accountability are all in play.

Internal audit should be direct with the audit committee about where the organization stands.

• Is there a clear inventory of AI use cases across the enterprise?
• Are governance frameworks defined and enforced?
• Does the organization understand the risks associated with third party AI solutions?

If the answer to any of these questions is no, that is not simply a technology issue. It is a governance gap.

At the same time, audit committees should understand that AI is not only a risk to be managed. It is a capability that internal audit itself must leverage to remain effective. If your function is not advancing its own use of AI, that is a strategic risk worth elevating as well.

Closing Thought

The relationship between internal audit and the audit committee is built on trust. That trust is reinforced when you provide clear, candid, and timely insight.

It is tested when important information is withheld or softened.

You are not there to confirm what the audit committee already believes. You are there to ensure they understand what they need to know, especially when it is uncomfortable.

In an environment defined by rapid change and rising risk, that responsibility has never been more important.