Evelyn Khoo
Engagement
AI Readiness in Internal Audit
Reference
AI‑2026‑01
Status
Open — Collecting Input
Prepared By
Evelyn Khoo
An Independent Enquiry · Internal Audit × Agentic AI

Twenty years testing other people’s controls. This year I’m testing a hypothesis.

I’m Evelyn Khoo, Head of Internal Audit, APAC, with more than two decades across retail, luxury goods, and manufacturing — store and plant-floor audit, operational review, investigations, SOX compliance, and the system implementations that were supposed to make all of it easier. I’m now running a short, independent enquiry into what Heads of Internal Audit — and Controllers — actually want from agentic AI — not the vendor pitch, not the roadmap slide. Ten minutes of your priorities, in your words.

§1.0

Background

Like most internal auditors and controllers, I started in external audit. The move into internal audit and SOX compliance came before I understood the business — that came later, from the store floor: inventory write-offs, reconciling tills at close, operations audited through a different lens than the one I trained in. Two decades of audit committee reporting, cross-border investigations, and system rollouts later, that operational view is still the one I trust most.

Retail and manufacturing audit resists automation for a reason: cross-border transfers, Limited Risk Distributor structures, consignment and wholesale arrangements rarely fit a standard control framework. Which is exactly why I want to hear from practitioners before I believe a vendor’s demo.

This site is a personal research project, not a firm or a product — my own views, not made on behalf of any employer, past or present.

Experience
20+ years, internal audit & risk
Sector Focus
Retail & manufacturing, luxury specialism
Certifications
FCA
Current Role
Head of Internal Audit, APAC
Based In
Asia–Pacific
§2.0

Areas of Expertise

2.1

System Implementation

Control design embedded into ERP, POS, and inventory rollouts — audit involved before go-live, not after the first exception report.

2.2

Internal Audit

Risk-based audit planning and execution across corporate and regional functions, with reporting lines running to the audit committee.

2.3

Operational Review

End-to-end walkthroughs of retail and manufacturing operations — supply chain, merchandising, production and clienteling — and the manual workarounds that live in the gaps between systems.

2.4

Investigations

Fraud, misconduct, and policy-breach investigations — from a till discrepancy in one boutique to cross-border supply chain leakage.

2.5

SOX Compliance

Design and testing of ICFR programmes for listed retail and manufacturing groups, including remediation of deficiencies found the hard way.

2.6

Store Audit

Boutique-level control testing across flagship, outlet, and pop-up formats — cash handling, inventory shrinkage, consignment stock, and loss prevention.

§3.0

Observations to Date

Before asking practitioners for their time, I looked at what the recent survey data already shows. Two figures sit uncomfortably close together: adoption is racing ahead, confidence is not.

Exhibit A — Adoption Is Already Here
83%

of audit functions are already piloting or using AI, with another 12% planning to within the year.

Source: Gartner CAE Survey, Jan 2026 ↗
70%+

of CAEs rank building a culture of innovation and better use of GenAI as an important or extremely important 2026 priority.

Source: Gartner CAE Survey, Jan 2026 ↗
51%

cite business process improvement and cybersecurity as tied top investment priorities for the audit function.

Source: Protiviti, Top Risks for Internal Audit 2026 ↗
Exhibit B — And Confidence Hasn’t Caught Up
31%

report high or extremely high confidence that their function can actually build a tech-savvy audit culture.

Source: Gartner CAE Survey, Jan 2026 ↗
92%

of executives report running into real issues implementing AI in the past year — data quality, skills, and unclear use cases lead the list.

Source: RSM, 2025 implementation study

“The gap isn’t whether to adopt AI. It’s that most of what’s being built wasn’t designed by anyone who had to learn the business from the store floor up — the way most of us did.”

§4.0

Request for Input

This is the part the survey data can’t give me. If you lead an internal audit, controllership, risk, or controls function, I’d like ten minutes of your actual priorities — not for a product, not for a pitch, just for a clearer picture of what would genuinely help.

Responses are used solely to inform this independent research. Individual answers won’t be attributed without your permission; findings will be shared back in aggregate.

Opens a pre-filled email in your default mail app. Nothing is sent until you press send there.