The Mysterious Tune: Internal audit and the age of radical uncertainty

30 March 2026

Sometimes in life, a metaphor grabs you intellectually and simply will not let go. Walter Isaacson, biographer of such varied characters as Leonardo da Vinci and Elon Musk, wrote the definitive biography of Albert Einstein and in so doing, shone a bright torch on the inner workings of one of humanity’s greatest thinkers. While large tracts of the book are devoted to scientific theories, much of it explores Einstein’s more general world view. And it is in Einstein’s views on religion that Isaacson describes one of Einstein’s greatest metaphors. Asked whether he believed in God, Einstein replied that he was in the position of a little child entering a huge library filled with books in many languages. The child knows that someone must have written those books. It does not know how. It does not understand the languages in which they are written. The child dimly suspects a mysterious order in the arrangement of the books, but, does not know what it is. That, said Einstein, is the attitude of even the most intelligent human being toward God. We see the universe marvellously arranged, obeying certain laws, but we only dimly understand those laws. It was not, at its heart, a religious statement, it was a philosophical one. And it is, in this author’s view, one of the most precise and beautiful descriptions ever written of the human condition in an age of radical uncertainty. While that was said in 1930, an audit committee member in 2026 could be forgiven for feeling a soft pulse-like sensation of being a child in a dimly lit library. The books keep arriving and the languages keep changing. In the past five years alone, Europe has absorbed three once-in-a-lifetime shocks: a global pandemic, a land war, and a rupture in the global trading order that no risk register had modelled. And now, layered upon all of this, artificial intelligence, perhaps the most consequential new arrival in the library, written in a language that even its authors may not fully understand. Today we live in a library of risks that has never been larger, never been faster moving, and never been written in so many languages simultaneously.

Internal audit is an independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations. It operates within organisations across every sector, including financial services, public bodies, healthcare, retail and energy, providing boards and management with an informed, independent perspective on risk, control and governance. “Auditing”, in the general conventional sense, provides opinions on historic financial information. Internal audit is something different. It is a form of auditing, and it is commonly misunderstood in a consistent direction. People assume it is checking the past, verifying the record. It does those things. But that is not, or should not be, its primary orientation. Internal audit, properly understood, is a forward-looking discipline. It is risk based. It nurtures what might be called risk intelligence, the capacity to sense, interpret and communicate the risk landscape with enough clarity and enough independence to inform good decisions at the highest levels of governance. The Institute of Internal Auditors, in its 2024 Global Internal Audit Standards, is explicit about this. The mission of internal audit is to provide assurance, advice, insight and foresight. Four words, each doing distinct work. Assurance looks backward. Advice looks sideways. Insight looks inward. And foresight points the torch forward. Into the library at the books still being written in the languages still being formed. Internal audit, done correctly, shines a light in the dimly lit library. Not only in the familiar corners where the light has always fallen but in the darker reaches, where the new books are arriving in languages nobody has yet learned to read.

If the audit committee member of 2026 feels like a child in a dimly lit library, the Risk in Focus 2026 report, produced by the Chartered Institute of Internal Auditors in conjunction with the European Confederation of Institutes of Internal Auditing, drawing on the views of 879 Chief Audit Executives across fifteen European countries, provides the most authoritative map of that library currently available. The headline finding is striking. The top organisational risks, cybersecurity, human capital, digital disruption, geopolitical uncertainty, regulatory change, are clustered more closely together than at any point in the survey’s ten-year history. This is not a world in which one dominant risk towers above the rest. It is a world in which multiple serious risks sit at roughly equal elevation, deeply interconnected, each capable of amplifying the others. The books are no longer on separate shelves. They are talking to each other. Cybersecurity sits at the top, as it has throughout the survey’s history, but its nature has fundamentally changed. The Central Bank of Ireland, in its February 2026 Regulatory and Supervisory Outlook, made this point with quiet but unmistakeable force. Operational resilience and cyber risk have been reclassified, repositioned from an operational silo into the macro-systemic risk domain, reflecting their systemic, economy-wide impact. This is not a worsening of a known risk. It is a philosophical repositioning of what that risk actually is. Cyber is no longer one shelf in the library. It is the architecture of the building itself. And then there is the wider rupture. At Davos in January 2026, Mark Carney, former Governor of both the Bank of Canada and the Bank of England, and one of the most authoritative voices in global finance, said something that deserves to be heard in every boardroom and every audit committee. “We are in the midst of a rupture, not a transition. Over the past two decades, a series of crises in finance, health, energy and geopolitics have laid bare the risks of extreme global integration. Great powers have begun using economic integration as weapons.” A rupture. Not a disruption. Not a transition. A rupture. The library is not being reorganised. It is being rebuilt from the ground up, in real time, in languages that are still being invented.

So, what should audit committees do with all of this?

• Plan carefully: This is the single most important point. Internal audit lives or dies by the quality of its planning. A weak plan produces weak assurance. A strong plan that is risk based, forward looking, and honestly calibrated to the world as it actually is, produces genuine intelligence. Audit committees should scrutinise the plan. They should challenge it.
• Ensure the plan is risk based: The audit plan must be anchored in the real risk landscape, not last year’s risk register, not the most comfortable areas to audit, but the risks that actually matter right now. Cyber resilience must feature, not as a tick-box technical review, but as a systemic, enterprise-wide assessment. Human capital, AI governance, geopolitical exposure, operational resilience, these are not optional extras.
• Keep the audit universe current: The audit universe is the map from which the plan is drawn. Maps go out of date. Audit committees should ask – when was this universe last updated? Does it reflect a world in which cyber is a macro-systemic risk, not an ICT silo? Does it include emerging risk areas that did not exist three years ago? An outdated universe produces an outdated plan.
• Demand insights, not just findings: An internal audit report should do more than record what was found. It should explain what it means. It should connect individual findings to the broader risk landscape. It should say something the audit committee did not already know. Reports that merely confirm the expected are of limited value. Reports that illuminate the unexpected are invaluable.
• Seek risk intelligence: Internal audit, properly positioned, is the organisation’s most independent and enterprise-wide source of risk intelligence. Audit committees should use it as such. Give them genuine space to share emerging concerns, early signals, and uncomfortable observations. That conversation may be more valuable than any written report.
• And ask the resilience question: At least once a year, the audit committee should ask directly, if something arrives that we did not model, from a direction we are not currently watching, can this organisation absorb it? Can we recover? That question, asked honestly and answered independently, may be the most important question on the agenda.

Elsewhere in Isaacson’s biography, Einstein reflects on the human condition as follows: “Human beings, vegetables, or cosmic dust,” he wrote, “we all dance to a mysterious tune, intoned in the distance by an invisible player.” Einstein is not describing chaos. He is saying there is a tune. There is a player. There is an underlying order to the risk landscape: patterns, connections and rhythms that can be partially heard, if the right ear is tuned in at the right time, with the right focus. And with his theory of relativity, Einstein heard a tune that nobody else had heard. Internal audit does not hold all the answers. It will not unravel the full melody. That is beyond anyone’s reach. But internal audit, properly resourced, properly planned, and properly engaged by an audit committee that understands its true purpose, can bring more notes into audibility. It can hear the change in tempo before the rest of the organisation does. It can sense the new instrument entering the composition before it has fully announced itself. That is the aspiration of the modern internal audit profession.

Brian Hayes is a Partner at Moore Ireland, where he leads the firm’s internal audit practice. This article was written to coincide with the Chartered Institute of Internal Auditors Ireland Conference taking place on 7 May 2026 at Croke Park, Dublin. The conference theme: Internal Audit: Relevance, Resilience, and Reinvention, speaks directly to the ideas explored above. It promises a full day of insight, expert speakers and practical sessions, closing with a networking reception. Details and bookings are available here.