Internal Audit Will Never Be Perfect — And That’s Exactly the Point
One of the most persistent misconceptions in governance is that internal audit should “cover everything.” It can’t. And more importantly — it shouldn’t. Across industries, internal audit functions are under increasing strain. According to global benchmarks, audit teams are often 20–30% under-resourced, while risk landscapes continue to expand across cyber, ESG, AI, third-party ecosystems, and geopolitical exposures. The expectation, however, hasn’t changed. Boards still ask for comprehensive coverage, complete assurance, and zero surprises. This mismatch is where audit loses relevance. The most effective audit functions I’ve worked with don’t aim for perfection. They focus on prioritisation. A regional bank I advised moved away from exhaustive audit coverage toward a risk-based model. By focusing on high-impact areas and leveraging data analytics, they reduced audit cycle time by 40% and reallocated effort toward cyber risk and third-party oversight. The result wasn’t just efficiency — it was better insight. This reflects a broader shift in internal audit. From coverage → to impactFrom periodic reviews → to continuous auditingFrom static plans → to dynamic risk alignment Technology is enabling this shift. Data analytics and AI can now identify anomalies in real time — unusual transactions, control deviations, behavioural patterns. This allows audit teams to move from retrospective reviews to proactive risk detection. But technology alone is not enough. The real transformation is cultural. Audit functions must move from being perceived as “process checkers” to becoming risk navigators. That requires: Boards also need to rethink how they evaluate audit effectiveness. Traditional metrics such as number of audits completed or issues identified are no longer sufficient. More relevant indicators include: The question is no longer: Did we audit everything?It is: Did we focus on what mattered most? In today’s environment, risk evolves faster than audit cycles. Trying to achieve perfection creates blind spots elsewhere. Internal audit’s value lies not in completeness, but in clarity and prioritisation. Organisations that recognise this are transforming audit into a strategic function — one that informs decisions, highlights emerging risks, and supports resilience. Those that don’t risk turning audit into a compliance exercise with limited impact. CTA: StraitsTribe helps internal audit teams evolve into agile, insight-driven functions that focus on real-time risk and strategic impact.
Sustainability Governance Is Now a Core Business Risk
Sustainability has moved decisively from ESG reporting into the core of enterprise risk. What was once a narrative-driven exercise is now being tested through regulation, investor scrutiny, and operational realities. The turning point is clear. The EU’s Corporate Sustainability Reporting Directive (CSRD) now applies to over 50,000 companies, with penalties reaching up to €10 million or 5% of global turnover. Across Asia, regulators in Singapore, Malaysia, and beyond are aligning with similar expectations — credible, auditable, and decision-useful ESG data. This shift is exposing a gap in many organisations. Most have sustainability strategies. Many have ambitious targets. But when you examine operations — procurement, supplier selection, capital allocation — the alignment is often inconsistent. That disconnect creates real risk. A global retailer provides a useful example. Despite strong sustainability commitments, inconsistencies in supplier practices led to regulatory scrutiny and investor pressure. The issue was not intent. It was governance failing to extend into execution. The biggest challenge in sustainability today is not awareness. It is integration. Boards are now expected to treat sustainability as a strategic variable, not a reporting obligation. This requires: Data is a major issue. Scope 3 emissions — which can account for 70–90% of total environmental impact — remain difficult to measure and verify. Yet regulators and investors increasingly expect transparency in this area. Another shift is accountability. Sustainability oversight is moving from management to the board. Audit committees are expected to validate ESG disclosures with the same rigour as financial reporting. Investors are also becoming more selective. Large asset managers are already tying capital allocation to credible ESG performance, not just disclosures. In this environment, sustainability becomes more than compliance. It becomes a test of organisational resilience. Organisations that embed ESG into decision-making will be better positioned to manage regulatory change, supply chain disruptions, and investor expectations. Those that treat it as a reporting exercise will face increasing scrutiny. Sustainability is no longer about communicating what you intend to do.It is about demonstrating what your organisation is structurally capable of delivering. StraitsTribe helps organisations embed sustainability into governance, risk, and operational decision-making—turning ESG from reporting into measurable business performance.
AI Governance Starts in the Boardroom, Not the IT Department
After more than three decades in boardrooms across Asia, one pattern is clear: every major disruption eventually becomes a governance issue. AI is no different — but it is moving faster than anything we’ve seen before. Most organisations today believe they have AI “covered.” There are policies, ethical guidelines, and technical teams in place. Yet when I ask a simple question — can you clearly explain how an AI-driven decision was made, validated, and approved? — the answer is often unclear. That is where the real risk sits. AI introduces a fundamentally new challenge. Decisions are no longer linear or fully human-led. They are driven by data patterns, continuously evolving models, and automated logic that operates at scale. A 2025 global survey found that over 60% of organisations cannot fully explain critical AI decisions, especially in high-impact areas like credit scoring, fraud detection, and hiring. We have already seen the consequences. A global bank deployed an AI fraud detection system that significantly reduced fraud losses. However, it also began flagging legitimate transactions at scale, frustrating customers and triggering regulatory scrutiny. The system worked exactly as designed — but governance had not anticipated its behavioural impact. This is the shift boards must understand. AI does not eliminate risk. It changes its nature. Forward-looking organisations are moving beyond policy-based governance toward embedded accountability. This starts with clarity on three fronts: Without this clarity, oversight becomes symbolic. AI risk also cuts across traditional silos. It is not just an IT or compliance issue. It spans: Boards that treat AI as a standalone topic will miss systemic exposure. Another critical shift is moving from periodic oversight to continuous assurance. AI systems evolve over time. Their outputs change as data changes. Annual reviews or static controls cannot keep pace. Leading organisations are implementing: Globally, regulators are reinforcing this direction. The EU AI Act, along with emerging frameworks across ASEAN, emphasises explainability, accountability, and human oversight for high-risk systems. The boards I work with are no longer asking, “How do we control AI?”They are asking, “How do we design accountability into it?” That is the real shift. AI will continue to transform how organisations operate. But governance will determine whether that transformation builds trust — or creates risk. StraitsTribe partners with boards and leadership teams to design AI governance models that align innovation with accountability, transparency, and real-time oversight.
AI and Modern GRC: From Compliance Burden to Strategic Intelligence
Artificial intelligence is no longer a future conversation. It is already embedded into how organizations operate, make decisions, and manage risk. From automated approvals to predictive analytics, AI is quietly shaping outcomes across functions. Yet, while adoption is accelerating, governance is still catching up. And that gap is where the real risk lies. For years, GRC has been viewed as a necessary layer — important, but often reactive. It documented risk, ensured compliance, and provided assurance after the fact. But AI is fundamentally changing that equation. It is forcing GRC to evolve from a control function into a system of intelligence that operates in real time. What makes AI different from previous technological shifts is not just its speed, but its autonomy. Decisions are no longer always human-led. Algorithms are recommending actions, approving transactions, flagging anomalies, and in some cases, executing decisions without direct oversight. This introduces a new category of risk — not just whether controls exist, but whether decisions themselves are explainable, accountable, and aligned to organizational intent. I often see organizations focusing heavily on deploying AI capabilities while underinvesting in the governance structures required to manage them. The conversation is dominated by efficiency and innovation, but far less by oversight and accountability. This imbalance creates exposure. Without clear governance, AI systems can introduce bias, operate as black boxes, and create regulatory and reputational risks that are difficult to trace once they materialize. At the same time, AI is also the most powerful enabler GRC has ever had. When applied correctly, it transforms how risk is monitored and managed. Continuous control testing replaces periodic reviews. Real-time anomaly detection replaces retrospective analysis. Predictive insights replace reactive responses. In effect, AI turns GRC into a living system — one that senses, learns, and adapts alongside the business. We are already seeing this play out across industries. In financial services, AI-driven transaction monitoring systems are identifying fraud patterns in seconds rather than days. In manufacturing, predictive maintenance models are flagging equipment risks before failures occur. In supply chains, AI is tracking disruptions and compliance risks across geographies in real time. These are not isolated use cases; they represent a broader shift toward embedded, intelligent governance. However, the organizations that are truly unlocking value from AI in GRC are not those that simply adopt the technology. They are the ones that integrate it thoughtfully into their governance frameworks. They ensure that AI outputs are explainable, decisions are auditable, and accountability is clearly defined. They recognize that AI governance is not just a technical issue, but a leadership responsibility. This is where the role of boards and senior leaders becomes critical. Governing AI requires a different level of engagement. It requires asking new questions: Do we understand how our AI systems make decisions? Do we have visibility into the risks they introduce? Are we balancing innovation with accountability? And perhaps most importantly, are we governing AI at the same pace at which we are adopting it? The future of GRC will be shaped by how well organizations answer these questions. AI will not replace governance, but it will redefine it. It will push GRC beyond compliance into the realm of strategic decision support. It will enable organizations to move from hindsight to foresight, from static controls to dynamic intelligence. But this shift will not happen automatically. It requires intent. It requires integration. And it requires leadership that understands that governance is no longer about slowing things down, but about enabling the organization to move forward with confidence. In a world where decisions are increasingly driven by machines, the real differentiator will not be who adopts AI the fastest, but who governs it the smartest.
The Biggest GRC Risk Today Isn’t Technology — It’s the Governance Gap
We spend a great deal of time talking about emerging risks — artificial intelligence, cyber threats, ESG exposure, geopolitical instability. Yet, in my experience, the most significant risk organizations face today is not any one of these factors in isolation, but the widening gap between how quickly risk is evolving and how slowly governance is adapting. Many organizations believe they are managing risk effectively. They have frameworks, policies, committees, and dashboards that provide a sense of structure and control. But beneath this surface, risk is still largely reported periodically, reviewed retrospectively, and managed in silos. In a world where risk evolves in real time, this creates a dangerous illusion of control. The acceleration of AI illustrates this gap clearly. AI is no longer a standalone capability; it is becoming embedded into every layer of business operations, fundamentally reshaping how decisions are made. Yet governance mechanisms have not evolved at the same pace. Boards often lack the depth of understanding required to oversee AI effectively, and many organizations have yet to establish robust ethical, risk, and accountability frameworks. As a result, companies are introducing entirely new categories of risk faster than they can manage them. The challenge is not just technological — it is structural and strategic. At the same time, other dimensions of risk are intensifying. One of the most overlooked areas is the rapid growth of machine identities — bots, AI agents, and automated systems that now outnumber human users in many environments. These identities create new vulnerabilities, from unauthorized access to complex identity-based cyber threats, and they challenge traditional approaches to governance and control. Organizations that fail to recognize and govern this shift risk losing visibility over critical parts of their own systems. Overlay this with rising ESG expectations and regulatory scrutiny, and the pressure becomes even more acute. Stakeholders are demanding not just compliance, but transparency, accountability, and real-time accuracy in reporting. Governance is no longer about meeting minimum requirements; it is about building trust. And trust, once lost, is far harder to rebuild than any control framework. What I have observed in organizations that are ahead of this curve is a willingness to rethink governance at a fundamental level. They are embedding GRC into business operations rather than treating it as a separate function. They are leveraging AI to enable continuous monitoring and predictive insights. They are integrating risk, compliance, and strategy into a unified view, and they are elevating governance capabilities at the board level. In doing so, they are not eliminating risk, but they are closing the gap between risk and response. The future of GRC will not be defined by more frameworks or more documentation. It will be defined by governance that is faster, smarter, and more integrated. Because the real risk is not uncertainty — it is believing you are in control when you are not. And in today’s environment, that is perhaps the most dangerous assumption an organization can make.