When governance failures become public, it is natural to ask whether an internal audit function was effective. That question is important, but it needs to be asked properly. An internal audit function does not operate in isolation. Its value depends on how close it is to emerging risk, whether it has the skills and resources to do the work, and whether leaders act when uncomfortable findings are raised. Without that, warning signs may be seen and documented yet still not change the outcome. This matters in every sector because organisations are making decisions in conditions that move faster than their oversight structures were designed for. Resources are tighter, scrutiny is sharper and technology environments are becoming more complex. In that context, a weak control, an ignored finding, a poorly governed technology project or a culture that discourages uncomfortable reporting can quickly escalate from internal risk to institutional failure. The challenge is not that organisations lack governance language. Many have frameworks, committees and risk registers. The harder question is whether these translate into better decisions, stronger controls, ethical leadership and timely action. Warning signs During the recently concluded 12th African Federation of Institutes of Internal Auditors (IIA) conference, public protector Kholeka Gcaleka made this point clearly. External oversight bodies often arrive after a complaint, an audit cycle or the damage itself. Internal auditors work inside organisations, where they see systems, documents, transactions, behaviours and control weaknesses as they occur. That proximity gives the internal audit an opportunity to act as an early-warning signal, but it also creates responsibility. When an internal audit is properly positioned, skilled, independent and supported, it can help organisations identify where risk is building and leadership needs to act. When it is marginalised, underresourced or treated as a compliance exercise, those warning signs may still be documented but not always influence decisions quickly enough. This matters in environments where corruption systems are organised and resistant to scrutiny. Internal auditors and whistle-blowers often carry personal and professional risk when they expose wrongdoing. Accountability is not only a technical process. People need protection, networks and institutional support to raise concerns without being isolated or punished for doing their work. Cybersecurity Technology brings the same challenge into sharper focus. Cybersecurity, digital disruption, AI, data quality and business resilience are no longer technical issues. They now shape continuity, financial exposure, customer trust, regulatory risk and board accountability. The IIA’s 2026 Risk in Focus survey shows how real that pressure has become: 86% of internal audit leaders seek help from external providers, most often for cyber risk and IT audits, while 67% say staff technical capabilities are not fully aligned with key priorities. Cybersecurity; business resilience; digital disruption, including AI; financial or liquidity risk; and fraud ranked among the highest risks in Africa. That is not a small skills gap. It constrains the profession’s ability to do the work being asked of it. If an internal audit function is expected to address increasingly complex risks, organisations must invest in the skills, tools and authority to do so effectively. Expecting an internal audit function to cover expanding risk with shrinking resources is not efficient. It is deferred risk. Moving closer to decisions Traditional assurance remains essential, but it cannot be the only way we show up. Internal auditors need to be in the room earlier, when leaders are still shaping decisions about innovation, resources, AI governance, data quality, culture and strategic risk. They must help organisations ask better questions before major decisions are made, rather than only reviewing whether procedures were followed afterwards. Boards face greater expectations, more intense scrutiny and competing demands in a disrupted environment. An internal audit function can help them navigate this, but only if it has the independence to speak clearly and the credibility to be heard. That credibility is built through the International Professional Practices Framework, the certified internal auditor global certification, practical experience, continuous learning and ethical courage. It is also why the African Federation of IIA conference matters. It gives the profession space to confront shared challenges, learn from different African contexts, and strengthen the capabilities internal auditors will need next. The next generation will need audit fundamentals, AI, data analytics, cybersecurity, resilience, organisational behaviour and professional courage. Technical skill and human judgment will have to develop together. For Africa, well-positioned internal audit functions help build institutions that protect public trust, investment, service delivery, organisational performance and long-term resilience. An internal audit function should not be reduced to reports, findings or compliance checklists. Properly positioned, it helps leaders see what is coming, understand what is at stake, and act before risk becomes failure. That is the role our internal audit profession must continue to earn. • Volmink is CEO of the IIA South Africa.