Stay connected: follow us on LinkedIn and explore more at
www.CherryHillAdvisory.com.
Lorem ipsum dolor sit amet consectetur interdum quam duis varius facilis.
Latest Blogs
No items found.
Follow Us
.svg){kind=small}
The PCAOB doesn't oversee internal audit. It doesn't set our standards, dictate our workpapers, or weigh in on our independence. But when a regulator this important goes through a major shift, internal audit should pay attention not out of obligation, but because there's a real opportunity here.
With the departure of Chair Erica Williams and a new SEC-led push to slow or reverse many of the PCAOB's reforms, external auditors are headed into a period of change. That affects the broader audit and assurance landscape, including how boards and audit committees think about risk, controls, and independent oversight.
And that's where internal audit can step in not to fill a gap in technical regulation, but to offer stability, insight, and assurance that is independent of both management and external audit.
Over the last few years, the PCAOB had been moving fast. Under Williams' leadership, the board had:
• Proposed tighter rules around fraud detection responsibilities
• Overhauled quality control standards
• Increased transparency and inspection volume
• Issued record-setting fines for audit failures
• Reasserted global inspection powers, including China
In short: the PCAOB had been raising the bar on external audit quality, responsiveness, and accountability. That direction is now in question.
With a politically motivated leadership change at the SEC, and public signals that the PCAOB's scope and budget may be pulled back or realigned, the external audit community is heading into uncertainty. There will be fewer signals coming from the regulator, more time before new rules are finalized, and possibly, less urgency around enhancing audit firm performance.
This isn't internal audit's problem but it's internal audit's moment.
Internal audit doesn't rely on the PCAOB. We don't defer to external auditors. Our job is independent by design. That independence now becomes one of our greatest assets.
Here's why.
When oversight bodies stall or shift direction, board members and audit committees still want strong assurance that controls work, risk is being managed, and financial reporting remains sound. If they sense that external auditors are facing less pressure to improve, they'll look for someone else in the room who can speak clearly and directly with independence.
Internal audit can be that voice. You don't need a change in rules to raise the bar. You don't need an inspection threat to justify focus on tough areas like management override, fraud risk, or operational control weakness. And unlike management, your job is to tell the truth as you see it.
Boards will take note.
The three lines model works best when each role is clear and distinct:
• First line: operational management
• Second line: risk, compliance, and control monitoring
• Third line: independent assurance
With less external audit momentum on the horizon, the third line is positioned to become even more central to risk oversight. Audit committees are often stuck trying to reconcile insights from management and the external auditors. Internal audit is the only function with access to both and independence from both.
This moment gives internal audit a chance to step into more active committee engagement:
• Informing audit committee members on emerging risks
• Highlighting long-term control gaps not tied to year-end financials
• Challenging management with credible, risk-based findings
• Flagging misalignment between audit firm scope and actual risk
This isn't about grabbing territory. It's about meeting the board where their concerns are, and becoming the most informed, steady, and credible line of defense in the room.
Let's be clear: if PCAOB oversight becomes less aggressive, that doesn't mean company risk levels fall. It just means fewer third parties may catch issues. That's where internal audit can show leadership not by acting like a regulator, but by being proactive.
Use this moment to:
• Strengthen your risk assessment
• Increase visibility into global and decentralized operations
• Take a hard look at areas with management judgment (e.g., revenue, reserves, goodwill)
• Build out the fraud lens in your internal audit plan even if the PCAOB takes pressure off the auditors
There's a false sense of security that can follow when regulators get quieter. Internal audit shouldn't fall into it.
The PCAOB shift is not a call to panic. It's not a threat to internal audit's work. But it is a signal that you may be the most stable, risk-focused, and objective assurance function left in the room.
When the external environment gets noisy, internal audit can be the one thing that stays clear. Not reactive. Not political. Just steady, independent, and committed to protecting the long-term interests of the company.
Boards will notice. Audit committees will lean in. And internal audit if it stays sharp, grounded, and direct can turn this moment into a lasting seat at the center of the third line.
⸻
If you're not positioning internal audit as the board's most trusted voice during regulatory uncertainty, you're missing your moment.
The PCAOB doesn't oversee internal audit. It doesn't set our standards, dictate our workpapers, or weigh in on our independence. But when a regulator this important goes through a major shift, internal audit should pay attention not out of obligation, but because there's a real opportunity here.
With the departure of Chair Erica Williams and a new SEC-led push to slow or reverse many of the PCAOB's reforms, external auditors are headed into a period of change. That affects the broader audit and assurance landscape, including how boards and audit committees think about risk, controls, and independent oversight.
And that's where internal audit can step in not to fill a gap in technical regulation, but to offer stability, insight, and assurance that is independent of both management and external audit.
Over the last few years, the PCAOB had been moving fast. Under Williams' leadership, the board had:
• Proposed tighter rules around fraud detection responsibilities
• Overhauled quality control standards
• Increased transparency and inspection volume
• Issued record-setting fines for audit failures
• Reasserted global inspection powers, including China
In short: the PCAOB had been raising the bar on external audit quality, responsiveness, and accountability. That direction is now in question.
With a politically motivated leadership change at the SEC, and public signals that the PCAOB's scope and budget may be pulled back or realigned, the external audit community is heading into uncertainty. There will be fewer signals coming from the regulator, more time before new rules are finalized, and possibly, less urgency around enhancing audit firm performance.
This isn't internal audit's problem but it's internal audit's moment.
Internal audit doesn't rely on the PCAOB. We don't defer to external auditors. Our job is independent by design. That independence now becomes one of our greatest assets.
Here's why.
When oversight bodies stall or shift direction, board members and audit committees still want strong assurance that controls work, risk is being managed, and financial reporting remains sound. If they sense that external auditors are facing less pressure to improve, they'll look for someone else in the room who can speak clearly and directly with independence.
Internal audit can be that voice. You don't need a change in rules to raise the bar. You don't need an inspection threat to justify focus on tough areas like management override, fraud risk, or operational control weakness. And unlike management, your job is to tell the truth as you see it.
Boards will take note.
The three lines model works best when each role is clear and distinct:
• First line: operational management
• Second line: risk, compliance, and control monitoring
• Third line: independent assurance
With less external audit momentum on the horizon, the third line is positioned to become even more central to risk oversight. Audit committees are often stuck trying to reconcile insights from management and the external auditors. Internal audit is the only function with access to both and independence from both.
This moment gives internal audit a chance to step into more active committee engagement:
• Informing audit committee members on emerging risks
• Highlighting long-term control gaps not tied to year-end financials
• Challenging management with credible, risk-based findings
• Flagging misalignment between audit firm scope and actual risk
This isn't about grabbing territory. It's about meeting the board where their concerns are, and becoming the most informed, steady, and credible line of defense in the room.
Let's be clear: if PCAOB oversight becomes less aggressive, that doesn't mean company risk levels fall. It just means fewer third parties may catch issues. That's where internal audit can show leadership not by acting like a regulator, but by being proactive.
Use this moment to:
• Strengthen your risk assessment
• Increase visibility into global and decentralized operations
• Take a hard look at areas with management judgment (e.g., revenue, reserves, goodwill)
• Build out the fraud lens in your internal audit plan even if the PCAOB takes pressure off the auditors
There's a false sense of security that can follow when regulators get quieter. Internal audit shouldn't fall into it.
The PCAOB shift is not a call to panic. It's not a threat to internal audit's work. But it is a signal that you may be the most stable, risk-focused, and objective assurance function left in the room.
When the external environment gets noisy, internal audit can be the one thing that stays clear. Not reactive. Not political. Just steady, independent, and committed to protecting the long-term interests of the company.
Boards will notice. Audit committees will lean in. And internal audit if it stays sharp, grounded, and direct can turn this moment into a lasting seat at the center of the third line.
⸻
If you're not positioning internal audit as the board's most trusted voice during regulatory uncertainty, you're missing your moment.
