Roberto Zambelli

But 2026 is a year of transformation for internal audit. I think I kind of echo what the IIA Vision 2035 said, that we are at risk of becoming irrelevant. My view is that we are not at risk in 2035, but we are at risk at 2026. 2027.

Trent Russell

Hello everybody. Welcome to another episode of the Audit Podcast. I'm your host, Trent Russell and today we have Roberto Zambelli, who says his name way cooler than I do. Roberto is the head of audit for Vodafone 3, formerly known as Vodafone. So Roberto is the head of audit at Vodafone 3, formerly known as Vodafone. Those in the UK I'm sure are familiar. For those who do not live in the uk, Vodafone is one of the largest telecommunication companies in the uk. Roberto's specialty actually is relative to behavioral science and culture. And so it would just so happen that the I a topical requirement on organizational behavior came out. Actually in between, we actually recorded an episode, we talked about the topic and then the topical requirement came out. So we said, all right, let's just come back, we'll redo it. So that's what we're going to talk about today. Effectively, it's that topical requirement from the iia. Roberto absolutely crushes it. So I'm going to shut up so we can get to the good stuff. And with that said, here we go. Roberto, what do you have a maybe a go to a novel, something of interest that the listeners might be interested in, a use case prompt, something from ChatGPT, whether it be from your personal life or your personal or rather your professional life.

Roberto Zambelli

Yes, TreT, I've had two goes at ChatGPT recently. On the personal side, a little bit of background. My daughter is an aspiring DJ and she managed to put half an hour session in her first sort of full half an hour DJ set. And I wanted to share it. Well, we wanted to share it on SoundCloud, but funny enough, her initials are already taken up by a famous dj. So I looked at interesting names for or stage names for an aspiring sort of DJ and ChatGPT suggested a few options. To be honest, none of them passed the teenage scrutiny. So that was one one prompt. Not as creative as I would like it to be, to be honest. So we have to revert to old fashioned teenager dad brainstorming stuff. On the professional side, funny enough, I tried to look at try and get a summary from ChatGPT on trends and sort of upcoming predictions for 2026 in terms of internal audit trends and a little bit of the boiling down, the various opinion, various articles, various sort of inputs that there are out there at the moment and see what ChatGPT came up with in terms of the trends for 2026. And unsurprisingly, one of them was AI, of course.

Trent Russell

Get out of here.

Roberto Zambelli

No way.

Trent Russell

I don't believe.

Roberto Zambelli

Yeah, it's surprising. Nothing, Nothing shocking at all. Also, in terms of the second thing, not shocking at all was the organizational behavior. Organizational behavior into audit and how to audit culture, etc. And obviously the third one that will shock you also, geopolitical instability. So that's basically, again, not the creative side of AI, unfortunately. But there we are.

Trent Russell

Yeah, we just did a risks for 2026 kind of episode we always have. It's a partner for board matters, Pat Neiman, who comes on once a year and kind of tells us, hey, this is everything that I've heard from board members over the past year and what they're expecting going in 2026. And I think you just rattled off the three that he mentioned also, so I'd say kind of nailed it from that. Maybe they just pulled straight from his episode.

Roberto Zambelli

I don't know.

Trent Russell

Well, real quick on the DJ name, who should we be looking out for? DJ who?

Roberto Zambelli

We haven't got to the end yet, so. Yeah, I'll. I'll share the link once we've uploaded it. We haven't finalized the name yet. It's a tricky one. But that's for episode two, to be continued.

Trent Russell

All right, well, I thought D.J. who would even be just a good name. So I looked it up real quick and there is a DJ who.

Roberto Zambelli

Yeah, there is. Yeah. And there's all sorts of. It's like a domain name. Every. Every. There's every option under the sun that's been taken up by DJs or aspiring DJs. So. But yeah, we'll get there. We'll find something.

Trent Russell

Yeah, there's a. I was gonna say even DJ Roberto, but there's already a diary.

Roberto Zambelli

Yeah, my daughter's name is Lucia, but there's a huge amount of Lucia, lz, lbz, every sort of option. So it's work in progress.

Trent Russell

Hey, everybody, we're gonna take a quick break from our guests and if you need to get analytics or AI actually working in your internal audit department, or if you already have some of it, you feel like you're not really getting exactly what you need out of it, you know, there's more you're not getting that. Go to the show notes. Look for the Green Skies analytics link, click it on the website. There'll be other links that you can click that'll take you directly to a calendar to schedule time. It's literally three clicks to get the time scheduled to get it figured out. All right, back to the show. So there might be this misconception about topical requirements and that you have to do them, but I know when the cyber security one came out, it was blocked or like, hey, if it falls in line or there's some other conditions of an audit that you're doing, then we want you to use this topical requirement. So with that understanding, Roberto, what are the conditions, maybe the types of audits that someone would need to do take this topical requirement into consideration.

Roberto Zambelli

Yeah, you're 100% right. None of these is you must do it right. The topical requirement, and I haven't written it or haven't participated in it, but, but the topical requirement is there to guide us as auditors. So if we decide to introduce a behavioral audit component in our audits, this being a standalone audit or part of a process audit, whatever that may be, if we want to incorporate that element of behavioral, sort of science, behavioral audits into our audit workflow, then that topical requirement is there to guide you. So in a way it's adding a little bit of clarity to what, as I said before, is historically a difficult area to audit the culture, the behaviors of the organization. But by all means, this is absolutely not a mandatory requirement that you must do behavioral audits or you must audit your culture through the behavioral lens next year in your organization. That's not what is there to say. Is there to say that if you do want to tackle this, this is a framework that is recommended to be adopted? That's how I gave the interpretation to this and this is how I sort of use the information available to sort of sense check what we have done in the past and what we want to do in the future as well on this topic. And as I was saying, it's a very useful piece of work. Don't get me wrong, what my main concerns are around here as I, is the practicality of a being able to implement this in your sort of mid sized internal audit organization and be able to get the adequate support from your audit and risk committee or your board to actually invest the right resources into this type of analysis because it's not an easy task and it may be counterproductive if you don't do it properly and it might actually lead to less valuable insights or less sort of, or less credibility To a certain extent if it's not tackled in the right way. But by all means, the examples as well that are brought up in the topical requirement are really useful because when they concentrate on various sizes and various case studies across not just as I was saying earlier, the big banks or the big sort of unlimited resources type of internal Audi, but they also illustrate examples for smaller type of organizations or non financial services organizations. The one thing where I think is not really punching through yet, but I don't think is necessary for lack of trying is more because I think is still very much at the beginning of the learning curve this behavior or sort of audits into the ecosystem of internalism. I think there is still lack or limited evidence as to what real change and what actionable remediations these type of reviews can bring to the organization. And there are a couple of other areas where I think there still needs a little bit of fine tuning because it's quite possible that if you tackle this type of reviews in your own organization, you will stumble across resistance not just from a board perspective in terms of investment, but also from your own organization. So hr, for example, I'm sure they have a multitude of tools that they use to assess certain areas of these behavioral underlying behavioral aspects of a process. You know, speak up processes versus employee satisfaction questionnaires, whatever. HR have got already their agenda. And this may feel a little bit intrusive into other areas of the organization. Whereas if we go and do a more traditional internal audit engagement, I don't know, you name it, but let's say we did appealing type audit or a fixed assets type audit, it's quite clear where the boundaries are and it's quite clear what internal audit is there to achieve. Whereas if you start overlapping onto behavioral type topics, the lack of clarity will also bring much more pushback from the organization to a certain extent.

Trent Russell

All right, so for those that are watching on YouTube, you already see what's going on. For those that are listening and are not going to check this out on YouTube, Roberto has a deck pulled up. He's going to share some visuals and then obviously he's going to talk to it in a way that they just. The audio folks can still make sense of what we're talking about. But what he has pulled up is the title slides introducing behavioral science into audits and the IIA Organizational Behavior Topical Requirement issued December 15, 2025. So quick background. Roberto and I had initially recorded this already talking about behavioral science, cultural audits and things like that. I think it was like December 14th or maybe it was the 15th or something, but right after we got done, you emailed me and you're like, hey, this thing just came out. Let's basically scrap what we just talked about so we can talk about it from this perspective. And so that's what we're doing today. So like I said, if you're on YouTube, you see the deck. If not, Roberto's going to speak to it as if you were. But I'm basically going to hand it over to Roberto and then just interject and have fun with it. So Roberto, with that said, I'm going to throw it to you.

Roberto Zambelli

Perfect. Thanks, Trent. Yeah, so timing worked quite perfectly for us because December 15, a topical requirement came out on organizational behavior. It's an interesting topic for me because we've been looking at organizational behavioral type audits or kind of looking at culture audits from various angles. And we actually run a couple of pilots at Vodafone on organizational behavior type audits to look at culture. So I thought it was a fitting topic and timing worked out quite well. But to be very, very honest, I wasn't completely familiar on topical requirements, what they were exactly. I've heard the terminology, I've seen IAA stuff, but I wasn't really clear. So I looked into that a little bit and it made a lot of sense. In essence, I'm just making sure everybody is aware and sort of sharing my view on topical requirements. But the IIA is, through Vision 2035, is trying to modernize the internal audit ways of working the way we approach the industry, and rightly so, in my opinion. And the topical requirements are sort of the way I see it, a deep dive on specific topics. And guiding a little bit internal audit industry in how to audit something specifically in particular organizational behavior or other areas of the control environment often need a bit of guidance to be harmonized and sort of the example I tried to come up is you see the let's look at what's on screen. If you're seeing the screen, let's say that all audits must follow an approved audit methodology. That's a general statement. And the topical requirement will say, okay, great. But if you're auditing, for example, data privacy in your audit plan, you must include controls that relate to the GDPR regulations. So it kind of dives in deeper. And that's what the organizational behavior or topical requirement tries to do. It tries to basically guide us as internal auditors towards structuring our reviews on this topic and to basically broadly reframing what was traditionally a Very soft topic that is culture and cultural audit into a more structured, more coded way of assessing it. If you have been interested in the topic like me, you might have realize that there are two documents and this is not just for this specific, but is in general, if you're interested in topical requirements generally. There is the requirement per se, which is about, I don't know exactly, but say six to eight pages. And then there is a user guide which can go much more in detail for this specific one. To be honest, the interesting bits are in the user guide. The user guide basically shares case studies, shares examples, and goes into a little bit under the hood of the actual requirement. So if you are interested in this topic and if you want to go and have a look, download the requirement per se, but also spend some time on the user guide. Basically, I think if you have followed me so far, there's essentially one key question which is which might crop up. It definitely cropped up for me when I was exploring behavioral audits as an option. So why do we need a behavioral audit? And what's the point of the behavioral audit?

Trent Russell

Yeah, if I rephrase that as what? Maybe same question asked a different way. But what's the value of doing this?

Roberto Zambelli

Yeah, exactly. And we'll get to. I think we'll get to talk about what's the value from a board or what's the value from an internal auditor, which sometimes could be very different. But in essence I think a behavioral audit is a useful tool to understand your culture in your organizational culture in what I said earlier, a bit more structured and organized way. The aim basically is to make sure as an auditor to have an audit opinion on whether there is an alignment between the behaviors in your organization and more factual or more tangible elements within your organization, such as policies, strategic objectives, even reporting, et cetera. Is there an alignment between what the organization is setting to achieve and the behaviors that are being promoted? Which I think is a good way to frame it right. Do we want to achieve, I don't know, a customer first type organization? And therefore the key question is have we got the underpinning behaviors that will help us achieve that as an organization? So the overarching aim of a behavioral audit or using behavioral science in an audit is quite focused, quite clear. Then the other layer is to obviously identify those behavioral risks or at risk behaviors that could lead to operational failure, compliance breaches, and so on and so forth. We may have all the right policies, we may be saying all the right things, but that may be behavioral undercurrents. That take you the wrong way. And a behavioral audit would help you flesh out those behavioral risks that otherwise just by looking at policies, procedures, etc. And data, sort of factual elements you might not be able to bring up as a root cause.

Trent Russell

Maybe I'm jumping ahead and maybe you're going to hit on this. But what. What's a. What might be a finding from a behavioral audit?

Roberto Zambelli

Yeah, let me. We will get into it in a couple of slides. But also there's some good examples in the topical requirement user guide, let's say, and they use these a lot. The incentives program. Let's say, for example, we want, as I was saying earlier, promote an organization that is customer centric and wants to make sure that the customers are looked after throughout the journey of that particular product or particular service, etc. And we do an audit and let's say we incentivize, we identify certain behavioral triggers that are, for example, we focus very much our sort of compensation packages or commissions packages or whatever on the first sale or every meeting, for example, is focalized on the sales line or every policy or customer sort of brief is focused on short term goals and as opposed to long term customer satisfaction, whatever that may be. There is then example of misalignment. So one key thing which we are going to look at it in detail is how are we going to frame the internal audit question, meaning what is the outcome that we are testing and retrospectively how are we building that audit? If you are seeing the screen on YouTube, you can you probably see the slide that I've produced here. So it works in reverse in a way. So you want to from your data collection and we can talk about the types of data in a second. But it's very specific data collection. On a behavioral type audit you get to behavioral drivers. For instance, if we were to look at the key factors driving customer results as a sort of simplified internal audit question by collecting data such as, you know, what I said earlier, company reports, policies, etc. But also qualitative data through, for example, interviews, psychometric tests, focus groups, polls, or even having a psychologist, behavioral scientist attending sort of meetings as a fly on the wall. We collect a whole lot of quantitative and qualitative data that gets analyzed and you pick up what we can call the behavioral drivers. And this could be again either qualitative, factual. So we looked at an increase in credit notes, for example, by 47% year on year, or customer service calls have gone down 20% year on year or whatever. And qualitative, so you know what Are people saying when they get interviewed, how are people behaving in specific meetings? And there is a whole science, that's why it's called behavioral science on coding these inputs and these in theory brings you up to sort of identify behavioral patterns. And by analyzing those behavioral patterns, then you can get to a clear outcome. So you know, you can see elements of short termism in decision making or a clear silo working in the organization, lead leadership that is only focused on financial distance from customer and that leads to sort of having an opinion on a specific outcome. In this case you can say, okay, if you're looking at what are the key factors driving positive customer results in our organization and our behaviors align to a long term sort of customer outcome. And then you have all sorts of behavioral patterns emerging that say otherwise, you are demonstrating by April as B +C that the behavior underlying might not be aiming in that direction unit, if you see what I mean. The real question in my opinion is can it succeed or not? Can everybody start doing behavioral science type audits or behavioral risk type audits in their internal audit?

Trent Russell

So like so regardless of audit team size, can someone take the topical requirements and execute against those? Is that what you're saying?

Roberto Zambelli

Exactly. Can you just take it and run with it? And I think the answer, to be fair, is a mixed one. I think behavioral risks within an audit, whether you do it as a standalone audit, which means, let's go and analyze what I said earlier, a behavior or pattern on a specific process or on a specific part of the organization, or if you embed behavioral risks within your existing audit, let's say, for example, we audit sales commissions, for instance, and we want to embed behavioral risk type tests in that whichever direction you take, I think to be credible it needs a significant amount of scale knowledge, but also time we skipped quite quickly on the data collection part of the conversation, but we can go back to it if need be. But basically to conduct a proper behavioral type analysis, you need a huge amount of data points. And to collect and analyze those data points you need skills. You're not a behavioral scientist because you've turned up one week ago and decided to become one. So of people have made careers out of it. So the analysis that goes behind this sort of thing is quite, is quite detailed and quite, quite structured and quite scientific. Can everybody do it? No. And that, what does it mean? It means that in reality what you are doing is to look for outside resources, right? A consultant or a specialist. That's the first point. So it needs scale and it needs Skills that not everybody has and not everybody has the support and the appetite to go out and get those skills and those resources outside, financially or otherwise as my first kind of concern. The second concern which is linked to that is if I go to a board today and of course if you are a giant multinational bank with fairly unlimited resources, the conversation is different. But if you are an average internal audit function in a non financial services type organization, when you go and knock on the door of the board and of the audit and risk committee and you have the request for a behavioral risk type audit, either there is a clear need and that need needs to be very well articulated by the chief audit executive or it will be challenged by why do we want to do this? I think in my opinion it's still seen and perceived as a bit of a nice to have type review or nice to have complement to the Audi function. And the risk is basically trying to dilute the impact of this kind of reviews because the appetite or because the investment is not sufficient to do it justice. And it goes into a vicious circle of because you didn't invest enough time, enough money, enough resource to it, the outcome is not as clear, tangible, actionable as you would otherwise. And you go into a spiral of sort of not being able to demonstrate value out of this. And it's difficult if you lose kind of your audience on your first pilot to to then get the board to support you on a longer term strategy. So yeah, it's a combination of scale, skills and money that needs investing, the appetite for it and being able to sell the business case. Is it useless? No, I don't think so. It's very useful because it's a little bit like a Swiss knife, right? There are specific situations, specific environments, specific processes or area in an organization that actually having a behavioral lens to your audit would allow you to have a much clearer analysis and much deeper analysis of the root causes. And with the right appetite then you can also bring in a much more long term remedial activity into the organization. So it can definitely in the right environment, in the right situation and in the right context be extremely useful. Is it a one size fits all, everybody should go and do it tomorrow? I don't think so, to be honest, not yet. To recap a bit, I think is the right direction of travel. I think internal audit needs to branch out a little bit and out of its comfort zone into this sort of topics. And there is no one recipe of success. It could be done, as I said before, as a culture audit, as a standalone, it could be done as part of a. A process audit. But branching out of our comfort zone and looking into these sort of soft skills area or sort of behavior or risk type areas is beneficial for the organization and us as a function. I do think though that we need to have three or four levers to get to the next level. The first one is what I call institutional weight, which means basically a little bit of clear coordination between say the internal IDIA regulators, et cetera. In my experience, and I come from an industry that is heavily regulated, I think what drives the appetite of the organization is also the regulatory push. If you are pushing in a direction. For example, why have behavioral science type audio or behavioral audits had more success in financial services in the uk? In any case, because the FCA has been quite heavily pushing towards behavioral lenses in assurance. So there is a regulatory force that creates this urgency. So I think first of all it needs that institutional weight, I call it that. So sort of external appetite that drives the decision first and secondly needs some kind of authority or impact at the moment. The reason why in my opinion we are not able to drive clear, measurable changes in the organization is because behavioral observations are very difficult to enforce. They still come across even if they are backed up by a lot of data as a bit of a soft opinion. So that needs to be. Yeah, there needs to be a sort of lever for us to push the agenda towards change. The other thing that I think is changing, which is a broader conversation, to be honest, is nothing to do or not just to do with behavior or type audits, but is a broader conversation. The ways of working of internal audit have to change in my view at the moment, in order. I think the middle of the road generally list auditor that knows sort of. That covers everything is kind of moving out and is moving out in favor of specialists. The issue is justifying a, in this case a behavioral specialist in your audit team. As I going back to before, you need the size and you need the investment to go with it. Not everybody would do it. And you need to be able to organize your work to really drive value out of external consultants. Otherwise, if you're driven by external consultants, you might lose a lot of the value or you might lose a lot of the. The specificity or the specific knowledge of your organization. That's the. And the last point I think is still missing and I think is something that needs to be developed. It's some form of standardization or benchmarking. If you take socks for example, or you take esg, the environmental sort of metrics I'm not saying whether they are perfect, right, wrong or whatever, but what I'm saying is there is a certain harmonization of metrics. Kris, etc. If I talk about CO2 consumption in an organization versus another, we all know what we're talking about. I don't think we have that harmonization of jargon first and KRI is second yet to allow us to sort of compare industry when it comes to, I'm sorry, compare organizations when it comes to behavior or insights. So standardizing it would make a lot, sort of much. Would make it much more clearer for us to embed into our own sort of internal audit environment.

Trent Russell

Yeah, maybe the IA has it on their agenda. Hey, this topical requirement is going to go in for a year and we're going to follow up with folks and have that benchmarking data available to everyone. I think that would be extremely helpful. So like Roberto, as the expert on this, we greatly appreciate you coming on. I know it's something that you've been working with for a few years and actually executing on this. With the few minutes we have left. I do want to throw the mic back to you. What, what do you want to leave the audience with? What's your closing remarks here?

Roberto Zambelli

I think it's kind of along the last sort of comment I made. I think, okay, we can, we can laugh and jokes, but 2026 is, is a year of transformation for internal audit. I think I kind of echo what the IIA Vision 2035 said, that we are at a risk of becoming irrelevant. My view is that we are not at risk in 2035, but we are at risk at 2026, 2027. I think we need to change our ways of working or adapt our ways of working in a very quick way. I think this topical requirement goes in the right direction. I think is the first step is definitely not the only step. I think we need to stop a little bit as a, as an industry to self glorify ourselves or self congratulating ourselves and sort of saying to ourselves how important we are. I think we need to go out a bit more of our comfort zone and, and make sure we get the recognition from boards and shareholders and management and recognizing in tangible ways how we contribute. I think we need a little bit of a wake up call. I think all the ingredients are there, but we need to action now. I think.

Trent Russell

Hey everyone, thank you very much for listening to this episode of the Audit podcast. Whatever platform you're listening on right now, I'm sure there's a subscribe button somewhere, so please hit the subscribe subscribe button there. If you're listening through itunes or Spotify, feel free to go give us that five star rating. It only took me about 16 seconds to give myself a five star review and it really helps to get future guests to come on the show, so we'd really appreciate that. Lastly, be sure to check out the show notes and follow us on all our social media channels, on Instagram, on LinkedIn, and on TikTok. Also, if interested, please sign up for our weekly newsletter from the Audit Podcast. Thank you all. Have a great one.