Contact Us Submit RFP

  • Search For

Contact Us Submit RFP
insight-ingle-left-2
insight-ingle-left-3
Go back to Articles

May 15, 2026

When Internal Audit Capacity Falls Behind Today’s Governance Demands

The Gap Is Already There

Across the insurance industry, internal audit teams are being asked to do more, without a corresponding expansion in resources. Financial controls and recurring compliance activity remain core responsibilities. But Audit Committees and senior leaders now also expect assurance over cybersecurity readiness, AI governance, vendor risk management, business resiliency, data handling, and broader enterprise risk.

For many insurers, internal audit capacity and technical depth has stayed level while the list of responsibilities has grown longer. The mismatch does not always surface as a dramatic failure. More often, it accumulates quietly through deferred audits, reduced coverage depth, and risk areas that receive less oversight than initially intended. By the time the gap becomes visible under regulatory examination or in a board discussion, the conditions behind it have often been building for some time. That reality deserves direct attention.

Why This Issue Is Surfacing Now

The operating environment for insurers has shifted in ways that directly affect internal audit’s ability to provide adequate coverage.

AI and automation are entering underwriting, claims, finance, and decision support at an accelerating pace. Cybersecurity and data oversight have moved higher on board agendas. Third-party reliance has deepened, and regulators are paying close attention to how well insurers monitor the vendors and partners they depend on. At the same time, retirements, turnover, and a limited candidate pipeline have left many teams leaner with fewer people who hold the institutional knowledge needed to maintain continuity.

The result is internal audit functions facing broader demands with limited resources, while Audit Committee and regulatory expectations for reporting quality continue to rise.

Where Capacity and Skills Gaps Tend to Surface First

When internal audit cannot keep pace with the risk environment, the early warning signs tend to appear in areas defined by rapid technological change and processes that span several owners.

Audit plan delays and incomplete execution. When capacity is tight, audits may be deferred, reduced in scope, or not completed. This is often the earliest and most direct indicator, especially when deferrals affect newer risk areas.

AI and automated decision processes. New tools are often adopted faster than governance frameworks evolve. Coverage of data inputs, model use, change management, and accountability structures in AI-driven workflows may be limited or absent.

Cybersecurity and IT controls. Lean teams often defer or narrow IT audit coverage when capacity is strained. Gaps can build in access management, vendor security oversight, incident readiness, and system change controls.

Third-party and vendor dependencies. Third-party risk management programs may not address all vendors, may not include sufficient AI governance and cybersecurity assessments, and may rely on static reviews rather than ongoing monitoring. Nth-party risks—those tied to the vendors of vendors—often receive little attention at all.

Limited use of technology and data analytics. Internal audit functions that have not adopted data analytics and continuous control monitoring are operating at a capacity disadvantage. The ability to test full populations, identify high-risk areas, and produce reporting through data visualizations gives boards a clearer picture of emerging themes that point-in-time audits may miss.

Warning Signs Leadership Should Not Ignore

Insurers rarely discover a capacity issue because someone announces it. It shows up through recurring patterns in planning, execution, and reporting:

  • The audit plan emphasizes legacy areas while newer risk categories like AI, cyber, and vendor oversight receive little or no coverage
  • IT, cybersecurity, or data-related audits are repeatedly deferred or are narrow in scope, with outdated testing techniques and limited technical scrutiny. Management self-identifies issues before internal audit uncovers them
  • Audit Committee reporting focuses on completed work but offers limited visibility into what is not being covered
  • Remediation activity stays open longer because follow-up capacity is limited

Any one of these signals warrants a conversation. When several appear together, the case for a structured review of internal audit capacity is difficult to defer.

What Audit Committees and Leadership Should Ask Now

Sharper questions drive strong governance, helping leaders assess if their internal audit model aligns with the organization’s current risk profile.

  • Which current risk areas are receiving limited or no internal audit coverage?
  • Has the audit universe been updated to reflect AI adoption, cybersecurity exposure, third-party dependencies, and business resiliency?
  • Where does critical process knowledge sit with only one or two individuals?
  • Which processes and key controls are insufficiently documented?
  • Are IT and operational risks being covered with the same discipline as financial controls?
  • Does the Audit Committee have clear visibility into deferred work and coverage tradeoffs?
  • Is the current staffing or sourcing model appropriate for the organization’s risk profile?
  • Is technology helping the team expand testing, reporting, and risk identification?

What Insurers Can Do Before Gaps Become More Visible

A focused set of near-term actions can meaningfully improve internal audit coverage and governance confidence.

Refresh the risk assessment. Revisit whether the audit plan reflects how the business has changed. AI, cybersecurity, data governance, vendor risk, and business resiliency should be explicitly considered—not treated as secondary to legacy priorities.

Identify where knowledge is too concentrated. Map critical processes and control ownership. Where continuity risk is highest, prioritize documentation and cross-training.

Reassess the sourcing model. Consider whether co-sourcing or targeted specialist support is needed to cover areas requiring insurance, IT, cybersecurity, AI, or model risk experience. A hybrid approach can address gaps while in-house expertise is built.

Improve visibility for the Audit Committee. Report not only on completed audits, but also on deferred areas and coverage decisions. Committees cannot act on risks they cannot see.

Focus on the highest-value near-term moves. Address the areas most likely to attract stakeholder attention first. Use a phased approach rather than attempting to expand coverage everywhere at once.

Capacity Gaps Are Governance Gaps

When internal audit capacity falls behind, the consequences extend beyond staffing. They affect governance coverage, Audit Committee confidence, and the organization’s ability to maintain continuity in its control environment. Insurers that address this early are better positioned to align internal audit with current risk and leadership expectations—before gaps surface in a regulatory examination, a board discussion, or an operational failure.

If your internal audit function is being asked to cover more than it was originally designed to support, now is the right time to revisit how your internal audit function aligns with today’s governance demands.

Our 2026 Insurance Governance & Internal Audit Planning Guide outlines the broader planning considerations insurers should review as risk coverage, oversight expectations, and resourcing needs continue to evolve.

Kim Mobley

Kim Mobley

Partner

View Bio
Jordan Fulbright

Jordan Fulbright

Senior Manager - Internal Audit

View Bio

Is your internal audit function being asked to cover more than it was originally designed to support?

Now is the right time to revisit how your internal audit function aligns with today’s governance demands.

Contact Us

Insurance Insights

When Internal Audit Capacity Falls Behind Today’s Governance Demands

The Gap Is Already There

Across the insurance industry, internal audit teams are being asked to do more, without a corresponding expansion in resources. Financial controls and recurring compliance activity remain core responsibilities. But Audit Committees and senior leaders now also expect assurance over cybersecurity readiness, AI governance, vendor risk management, business resiliency, data handling, and broader enterprise risk.

For many insurers, internal audit capacity and technical depth has stayed level while the list of responsibilities has grown longer. The mismatch does not always surface as a dramatic failure. More often, it accumulates quietly through deferred audits, reduced coverage depth, and risk areas that receive less oversight than initially intended. By the time the gap becomes visible under regulatory examination or in a board discussion, the conditions behind it have often been building for some time. That reality deserves direct attention.

Why This Issue Is Surfacing Now

The operating environment for insurers has shifted in ways that directly affect internal audit’s ability to provide adequate coverage.

AI and automation are entering underwriting, claims, finance, and decision support at an accelerating pace. Cybersecurity and data oversight have moved higher on board agendas. Third-party reliance has deepened, and regulators are paying close attention to how well insurers monitor the vendors and partners they depend on. At the same time, retirements, turnover, and a limited candidate pipeline have left many teams leaner with fewer people who hold the institutional knowledge needed to maintain continuity.

The result is internal audit functions facing broader demands with limited resources, while Audit Committee and regulatory expectations for reporting quality continue to rise.

Where Capacity and Skills Gaps Tend to Surface First

When internal audit cannot keep pace with the risk environment, the early warning signs tend to appear in areas defined by rapid technological change and processes that span several owners.

Audit plan delays and incomplete execution. When capacity is tight, audits may be deferred, reduced in scope, or not completed. This is often the earliest and most direct indicator, especially when deferrals affect newer risk areas.

AI and automated decision processes. New tools are often adopted faster than governance frameworks evolve. Coverage of data inputs, model use, change management, and accountability structures in AI-driven workflows may be limited or absent.

Cybersecurity and IT controls. Lean teams often defer or narrow IT audit coverage when capacity is strained. Gaps can build in access management, vendor security oversight, incident readiness, and system change controls.

Third-party and vendor dependencies. Third-party risk management programs may not address all vendors, may not include sufficient AI governance and cybersecurity assessments, and may rely on static reviews rather than ongoing monitoring. Nth-party risks—those tied to the vendors of vendors—often receive little attention at all.

Limited use of technology and data analytics. Internal audit functions that have not adopted data analytics and continuous control monitoring are operating at a capacity disadvantage. The ability to test full populations, identify high-risk areas, and produce reporting through data visualizations gives boards a clearer picture of emerging themes that point-in-time audits may miss.

Warning Signs Leadership Should Not Ignore

Insurers rarely discover a capacity issue because someone announces it. It shows up through recurring patterns in planning, execution, and reporting:

  • The audit plan emphasizes legacy areas while newer risk categories like AI, cyber, and vendor oversight receive little or no coverage
  • IT, cybersecurity, or data-related audits are repeatedly deferred or are narrow in scope, with outdated testing techniques and limited technical scrutiny. Management self-identifies issues before internal audit uncovers them
  • Audit Committee reporting focuses on completed work but offers limited visibility into what is not being covered
  • Remediation activity stays open longer because follow-up capacity is limited

Any one of these signals warrants a conversation. When several appear together, the case for a structured review of internal audit capacity is difficult to defer.

What Audit Committees and Leadership Should Ask Now

Sharper questions drive strong governance, helping leaders assess if their internal audit model aligns with the organization’s current risk profile.

  • Which current risk areas are receiving limited or no internal audit coverage?
  • Has the audit universe been updated to reflect AI adoption, cybersecurity exposure, third-party dependencies, and business resiliency?
  • Where does critical process knowledge sit with only one or two individuals?
  • Which processes and key controls are insufficiently documented?
  • Are IT and operational risks being covered with the same discipline as financial controls?
  • Does the Audit Committee have clear visibility into deferred work and coverage tradeoffs?
  • Is the current staffing or sourcing model appropriate for the organization’s risk profile?
  • Is technology helping the team expand testing, reporting, and risk identification?

What Insurers Can Do Before Gaps Become More Visible

A focused set of near-term actions can meaningfully improve internal audit coverage and governance confidence.

Refresh the risk assessment. Revisit whether the audit plan reflects how the business has changed. AI, cybersecurity, data governance, vendor risk, and business resiliency should be explicitly considered—not treated as secondary to legacy priorities.

Identify where knowledge is too concentrated. Map critical processes and control ownership. Where continuity risk is highest, prioritize documentation and cross-training.

Reassess the sourcing model. Consider whether co-sourcing or targeted specialist support is needed to cover areas requiring insurance, IT, cybersecurity, AI, or model risk experience. A hybrid approach can address gaps while in-house expertise is built.

Improve visibility for the Audit Committee. Report not only on completed audits, but also on deferred areas and coverage decisions. Committees cannot act on risks they cannot see.

Focus on the highest-value near-term moves. Address the areas most likely to attract stakeholder attention first. Use a phased approach rather than attempting to expand coverage everywhere at once.

Capacity Gaps Are Governance Gaps

When internal audit capacity falls behind, the consequences extend beyond staffing. They affect governance coverage, Audit Committee confidence, and the organization’s ability to maintain continuity in its control environment. Insurers that address this early are better positioned to align internal audit with current risk and leadership expectations—before gaps surface in a regulatory examination, a board discussion, or an operational failure.

If your internal audit function is being asked to cover more than it was originally designed to support, now is the right time to revisit how your internal audit function aligns with today’s governance demands.

Our 2026 Insurance Governance & Internal Audit Planning Guide outlines the broader planning considerations insurers should review as risk coverage, oversight expectations, and resourcing needs continue to evolve.

Kim Mobley

Kim Mobley

Partner

Jordan Fulbright

Jordan Fulbright

Senior Manager - Internal Audit