As 2025 draws to a close, we reflect on a major observation from the past 12 months. Internal audit teams are being asked to cover not only the traditional financial and control assurance, but increasingly:
- digital-risk and cyber controls,
- data-analytics driven audit techniques,
- business-processes and transformation assurance, and
- emerging technology and non-financial risks (AI, cloud, ESG).
According to the 2025 global IT internal audit outlook from KPMG International, only 42 % of surveyed organisations said they have “good” or “excellent” readiness for auditing risks associated with cloud, AI, ML and blockchain. Furthermore, that same report found that a mere 4 % of functions rate themselves as a “trendsetter” in technology audit maturity (with 49 % at the foundational level).
A 2025 survey by Jefferson Wells found that 85 %+ of audit leaders say they rely on external partners to fill critical skill-gaps in IT audit, data analytics and cyber risk.
These statistics underline a clear theme for audit functions: the supply of auditors with the combined skill-set of IT, data analytics and business acumen is under pressure.
Why the “Triple Threat” matters
Why is this broad set of skills so critical? There are several factors at play here:
- Technology-driven business models: Organisations are increasingly digital, cloud-enabled and data-intensive. Internal audit must understand how controls work in these environments and how risk manifests (not just “does a control exist?” but “is it operating in a SaaS‐/cloud-/API-first world?”)
- Data analytics becoming core to audit methodology: Audit teams are expected to sample much larger populations, identify patterns, exceptions, anomalies using tools rather than purely manual testing. That demands both technical analytics capability and business process understanding.
- Business risk orientation: Audit is shifting from retrospective assurance towards prospective advisory – linking to transformation projects, business strategy and disruptive tech.
- Regulators, boards and stakeholders expect more: Emerging regulations (e.g., cloud governance, data privacy, AI risks) mean audit must cover business-tech intersections. If the audit team lacks IT/data fluency and business insight, there’s a risk of “blind spots”.
The supply-demand gap
Data shows us there is a substantial gap between what audit functions need and the talent available. Many audit teams are only partially equipped (either good at IT-audit but weak on business acumen, or strong in business but lacking data/tech skills) and the gap is unlikely to close quickly, without deliberate strategy.
How to compete for this scarce talent
Given the skills scarcity, audit functions must be proactive and strategic in how they attract, hire and retain Triple-Threat auditors. Here are key approaches:
1. Expand the talent profile
- Broaden candidate pools: look at professionals not only from classical internal audit, but also from IT audit firms, data-analytics teams, risk functions, consulting.
- Even hire hybrids: someone with strong data/IT background and train them in audit methodology and business context (rather than expecting all dimensions to be present upfront).
- Emphasise business-context roles: when writing job-descriptions, highlight that you are looking for “audit-professionals with data-analytics fluency and business-process insight”, not just “IT auditors”. That helps attract candidates who see themselves as business-partners rather than purely technical.
2. Build a strong employer value proposition (EVP)
- Emphasise the strategic nature of the role: “You will audit transformation, data platforms, emerging risks (AI, cloud) and influence business decisions”.
- Offer meaningful stretch: career path into “audit-analytics lead”, “business risk partner”, not just “IT audit specialist”.
- Provide the tools and autonomy: ensure new hires will get exposure to real data-analytics tooling, cloud environments, cross-functional teams (not just legacy controls).
- Flexibility, development and brand: in competitive markets, talent may receive offers from analytics or tech firms; emphasise your audit team’s opportunity to work at the intersection of business, tech and risk.
3. Competitive compensation and roles
- Recognise market salary inflation in IT/data-audit specialists: expect to pay a premium.
- Consider flexible resourcing models: part-time, job-sharing, remote/hybrid options may help attract scarce talent who also value flexibility.
- Use external partners wisely: where full-time hiring is hard, bring in co-sourcing or contractors – but ensure the role has a path to internalisation.
4. Fast, robust hiring process
- Streamline technical assessment: include data-analytics case-study and business-scenario in interviews.
- Assess all three dimensions: IT/tech fluency, analytics/methodology skills, business-process understanding.
- Offer clarity on role’s business-impact: candidates want to see they will influence operations, not just audit controls.
How to build these skills internally
Given the scarcity of externally hireable Triple-Threat auditors, organisations should also invest in building capability internally. Here’s a five-step approach:
1. Map current skills and target gaps
- Conduct a skills inventory: what percentage of your audit team is comfortable with data analytics? cloud/IT controls? business-process risk?
- Use maturity frameworks (such as KPMG’s technology audit maturity ladder) to assess where your team sits (Foundational, Emerging, Trendsetter) and set target levels. KPMG Assets
2. Develop a learning and progression path
- Create a curriculum: e.g., foundational IT-audit concepts → data-analytics tools/techniques → business-process/risk partnering → emerging tech risk (AI, cloud, blockchain).
- Use certifications and credentials: encourage training in analytics (e.g., SQL, Tableau, Python), IT audit certifications (CISA, CISSP), business risk/ERM frameworks.
- Offer rotational or secondment opportunities: embed audit staff in data teams, IT risk, transformation projects so they gain business-tech exposure.
3. Embed analytics into audit methodology
- Replace manual sampling with data-driven testing: equip audit teams with tools and access to enterprise data.
- Develop analytics templates and dashboards: make it easier for auditors to apply analytics rather than learn from scratch each time.
- Cultivate partnerships with data engineering/IT teams: ensure audit has access to data and the technical support needed.
4. Strengthen business-risk partnering
- Train auditors in business language: what drives the business? What are the key operational risks? How do technology changes impact the profit model?
- Embed audit earlier in transformation projects: rather than auditing after the fact, have audit participate in design phase so they understand business context and tech implications.
- Encourage stakeholder engagement: audit professionals must be able to articulate findings to senior management, not just report compliance issues.
5. Monitor, measure and evolve
- Establish KPIs: percent of audits using analytics, number of auditors certified in data/IT skills, time saved through analytics, business-value recommendations made.
- Use internal maturity assessments periodically: track movement from Foundational → Emerging → Trendsetter.
- Review talent pipeline: identify next-gen audit professionals who show tech/data aptitude and invest in them early.
Conclusion
The internal audit profession has reached a crossroads. The demand for auditors who combine IT/tech insight, data-analytics skills and business acumen has never been greater, yet the supply remains constrained. As the data shows, many audit functions are not yet well-prepared to meet the emerging risks from AI, cloud and data governance.
Organisations need to compete for the Triple Threat auditors – and must additionally build these skills internally, to secure long-term resilience.
At Leonid, we partner with audit leaders and risk functions to help define these skill profiles, benchmark compensation for in-demand roles, and source or develop the talent required to bridge the gap. If you’d like a talent-mapping exercise, skills-gap assessment or benchmarking for Internal Audit roles in your sector, we’d be delighted to support you. Please contact Adam Bond for more information.