Richard Chambers is seeing a neverending series of crises confronting internal auditors and posing risks to their organizations.
A former chairman of the Institute of Internal Auditors, Chambers currently chairs the UNICEF Audit Advisory Committee and is senior advisor of risk and audit at the audit technology company AuditBoard. His fourth book, “Connected Risk: Conquering the Perilous Risk Exposure Gap,” was published last month.
“The premise behind the book, and it’s something I’ve been talking about now for the better part of the last three years, is that it’s almost like when the 2020s dawned,” he told Accounting Today. “The switch was flipped in terms of risk, volatility and risk velocity.”
Richard Chambers
With a consequential election approaching, potential risks are top of mind for many voters. “Risks became much more volatile and unpredictable, and the speed with which they emerged became almost unfathomable,” said Chambers. “We’ve lurched from the pandemic to supply chain disruption to macroeconomic turbulence, to wars in Europe, wars in the Middle East. All of this has the combined effect of really challenging even the best risk managers out there, and the idea that risk managers can do their thing off in their silo.”
The election will bring its own set of risks. “Each party has clearly staked out its position on fiscal policies, tax policies and so forth,” said Chambers. “There’s a lot of uncertainty there as to which way it’s going to go, so you’ve kind of got to manage the risks in both directions. You’ve just got to be prepared for the.uncertainty that lies ahead.”
Internal auditors, risk managers and compliance professionals can no longer operate separately. “We are dealing with almost an existential threat to a lot of companies and a lot of industries,” said Chambers. “We’ve seen a lot of companies and industries be decimated in the last five years,” said Chambers. “What I’ve tried to do with the book is to offer a path forward. It’s in some ways a call to action that says, you know you can’t manage risks like you’ve traditionally managed them in the era of ‘permacrisis.'”
He sees it as a permanent state of crisis where everyone needs to get involved. “It’s all hands on deck,” said Chambers. “You’ve got to have the risk managers, the internal auditors, the compliance team, the information security professionals, everybody’s got to be on the same page. And there’s got to be a lot more collaboration, cooperation and communication to help companies manage the risks.”
Chambers experienced his own crisis in 2022 when his home in Florida was badly damaged by Hurricane Ian. He was only able to move back in this past June.
Cybersecurity and artificial intelligence open up a new set of challenges. “If I were to talk about, the top-of-mind risks in 2025, there’s a whole range of IT risks: cybersecurity, data security risks, increasingly AI,” said Chambers. “AI presents extraordinary opportunities, but it also is laced with some really significant risks. That’s going to become even more acute as we see more and more regulations put in place, legislation and regulations coming from governments to try and tie down how AI is used, to make sure it’s not misused.”
In addition, there is economic uncertainty around inflation, while recruiting is still a problem for many companies. “We’re still not out of the woods on talent management, the ability to recruit and retain the talent a company needs or an organization needs, has been in the top five for almost the whole decade so far,” said Chambers.
Internal auditors will be hard pressed to deal with all of these uncertainties. Chambers sees a “risk exposure gap” in the number of risks that are being presented to a limited number of auditors. “We’ve seen the risk continue to mount, but we have not seen a real increase in the resources to tackle those risks,” he said. “Internal audit resources have been stagnant at best. I personally think they’ve been in a modest decline for the last two or three years because they haven’t been keeping pace with inflation. You are seeing a lot of infusion of resources into risk management or into compliance.”
One way to offset some of the risk exposure gap is through better collaboration among various risk management professionals, along with more investment in up-to-date technology. “If everybody’s still trying to track risks and manage risks using spreadsheets, that’s really not going to be very effective in the volatile environment we’re living in,” said Chambers.
He wants to see more collaboration among internal auditors, risk managers, compliance professionals and information security personnel. “I often encourage the internal auditors to be the leaders in this collaboration movement,” said Chambers. “Start working more closely with the risk managers in your organization and with the compliance teams, in making sure that when you all get in front of the board or in front of the executive management, that you have a pretty good understanding of what the others are doing, that you have hopefully been able to align on what the true risk profile is of your company. There’s nothing that frustrates a board more than having two or three different folks come in and tell them that there are different risks that the company’s facing. I’ve had audit committee chairmen say we just throw them out and tell them to come back when they can find some common ground. There’s too much ambiguity out there anyway, and if a board has ambiguity in terms of their different key players coming in and telling them that the company’s facing different risks, it really leads to frustration. The key here is there’s no one player that has to be the one to take the lead. But if somebody’s going to take the lead and get everyone on the same page with risk management, I think internal audit’s a prime candidate.”
He sees the various risks multiplying now. “I’ve been in the profession for 50 years,” said Chambers. “Next year will be my 50th year since I joined internal audit right out of college, and I’ve never seen a period as volatile as these last five years. We have been averaging as many risk disruptive events per year as we used to see in a decade. The time has come for action and the key risk management players — the risk managers, internal auditors, compliance, infosec — the ball is in their court. If companies are going to navigate the second half of this decade with any degree of success, these players have to come together and be a part of it.”
The International Auditing and Assurance Standards Board is proposing to tailor some of its standards to align with recent additions to the International Ethics Standards Board for Accountants’ International Code of Ethics for Professional Accountants when it comes to using the work of an external expert.
The IAASB is asking for comments via a digital response template that can be found on the IAASB website by July 24, 2025.
In December 2023, the IESBA approved an exposure draft for proposed revisions to the IESBA’s Code of Ethics related to using the work of an external expert. The proposals included three new sections to the Code of Ethics, including provisions for professional accountants in public practice; professional accountants in business and sustainability assurance practitioners. The IESBA approved the provisions on using the work of an external expert at its December 2024 meeting, establishing an ethical framework to guide accountants and sustainability assurance practitioners in evaluating whether an external expert has the necessary competence, capabilities and objectivity to use their work, as well as provisions on applying the Ethics Code’s conceptual framework when using the work of an outside expert.
President Donald Trump’s tariffs would effectively cause a tax increase for low-income families that is more than three times higher than what wealthier Americans would pay, according to an analysis from the Institute on Taxation and Economic Policy.
The report from the progressive think tank outlined the outcomes for Americans of all backgrounds if the tariffs currently in effect remain in place next year. Those making $28,600 or less would have to spend 6.2% more of their income due to higher prices, while the richest Americans with income of at least $914,900 are expected to spend 1.7% more. Middle-income families making between $55,100 and $94,100 would pay 5% more of their earnings.
Trump has imposed the steepest U.S. duties in more than a century, including a 145% tariff on many products from China, a 25% rate on most imports from Canada and Mexico, duties on some sectors such as steel and aluminum and a baseline 10% tariff on the rest of the country’s trading partners. He suspended higher, customized tariffs on most countries for 90 days.
Economists have warned that costs from tariff increases would ultimately be passed on to U.S. consumers. And while prices will rise for everyone, lower-income families are expected to lose a larger portion of their budgets because they tend to spend more of their earnings on goods, including food and other necessities, compared to wealthier individuals.
Food prices could rise by 2.6% in the short run due to tariffs, according to an estimate from the Yale Budget Lab. Among all goods impacted, consumers are expected to face the steepest price hikes for clothing at 64%, the report showed.
The Yale Budget Lab projected that the tariffs would result in a loss of $4,700 a year on average for American households.
Artificial intelligence is just getting started in the accounting world, but it is already helping firms like technology specialist Schellman do more things with fewer people, allowing the firm to scale back hiring and reduce headcount in certain areas through natural attrition.
Schellman CEO Avani Desai said there have definitely been some shifts in headcount at the Top 100 Firm, though she stressed it was nothing dramatic, as it mostly reflects natural attrition combined with being more selective with hiring. She said the firm has already made an internal decision to not reduce headcount in force, as that just indicates they didn’t hire properly the first time.
“It hasn’t been about reducing roles but evolving how we do work, so there wasn’t one specific date where we ‘started’ the reduction. It’s been more case by case. We’ve held back on refilling certain roles when we saw opportunities to streamline, especially with the use of new technologies like AI,” she said.
One area where the firm has found such opportunities has been in the testing of certain cybersecurity controls, particularly within the SOC framework. The firm examined all the controls it tests on the service side and asked which ones require human judgment or deep expertise. The answer was a lot of them. But for the ones that don’t, AI algorithms have been able to significantly lighten the load.
“[If] we don’t refill a role, it’s because the need actually has changed, or the process has improved so significantly [that] the workload is lighter or shared across the smarter system. So that’s what’s happening,” said Desai.
Outside of client services like SOC control testing and reporting, the firm has found efficiencies in administrative functions as well as certain internal operational processes. On the latter point, Desai noted that Schellman’s engineers, including the chief information officer, have been using AI to help develop code, which means they’re not relying as much on outside expertise on the internal service delivery side of things. There are still people in the development process, but their roles are changing: They’re writing less code, and doing more reviewing of code before it gets pushed into production, saving time and creating efficiencies.
“The best way for me to say this is, to us, this has been intentional. We paused hiring in a few areas where we saw overlaps, where technology was really working,” said Desai.
However, even in an age awash with AI, Schellman acknowledges there are certain jobs that need a human, at least for now. For example, the firm does assessments for the FedRAMP program, which is needed for cloud service providers to contract with certain government agencies. These assessments, even in the most stable of times, can be long and complex engagements, to say nothing of the less predictable nature of the current government. As such, it does not make as much sense to reduce human staff in this area.
“The way it is right now for us to do FedRAMP engagements, it’s a very manual process. There’s a lot of back and forth between us and a third party, the government, and we don’t see a lot of overall application or technology help… We’re in the federal space and you can imagine, [with] what’s going on right now, there’s a big changing market condition for clients and their pricing pressure,” said Desai.
As Schellman reduces staff levels in some places, it is increasing them in others. Desai said the firm is actively hiring in certain areas. In particular, it’s adding staff in technical cybersecurity (e.g., penetration testers), the aforementioned FedRAMP engagements, AI assessment (in line with recently becoming an ISO 42001 certification body) and in some client-facing roles like marketing and sales.
“So, to me, this isn’t about doing more with less … It’s about doing more of the right things with the right people,” said Desai.
While these moves have resulted in savings, she said that was never really the point, so whatever the firm has saved from staffing efficiencies it has reinvested in its tech stack to build its service line further. When asked for an example, she said the firm would like to focus more on penetration testing by building a SaaS tool for it. While Schellman has a proof of concept developed, she noted it would take a lot of money and time to deploy a full solution — both of which the firm now has more of because of its efficiency moves.
“What is the ‘why’ behind these decisions? The ‘why’ for us isn’t what I think you traditionally see, which is ‘We need to get profitability high. We need to have less people do more things.’ That’s not what it is like,” said Desai. “I want to be able to focus on quality. And the only way I think I can focus on quality is if my people are not focusing on things that don’t matter … I feel like I’m in a much better place because the smart people that I’ve hired are working on the riskiest and most complicated things.”