The Audit Podcast

Ep 272: Understanding the IIA's Topical Requirements with Roberto Zambelli (Vodafone Three)

Host: Trent Russell
Guest: Roberto Zambelli, Head of Audit, Vodafone Three
Date: February 3, 2026

Overview

This episode dives into the Institute of Internal Auditors’ (IIA) new topical requirement on organizational behavior, which aims to guide internal audit teams on integrating behavioral science and cultural assessments into their work. Roberto Zambelli shares his insights and experiences piloting such audits at Vodafone Three, examining the challenges, practicalities, and opportunities for internal audit teams regardless of their size or sector. The conversation underscores the growing importance of auditing organizational behavior and the transformation facing the internal audit profession.

Key Discussion Points & Insights

1. Transformational Moment for Internal Audit

• Roberto Zambelli stresses 2026 as a pivotal year for internal audit, in line with the IIA Vision 2035, noting the profession faces immediate risks of irrelevance if it doesn’t adapt.
• Quote [00:00]:
  "2026 is a year of transformation for internal audit… We are at risk of becoming irrelevant, not in 2035, but in 2026, 2027." — Roberto Zambelli

2. ChatGPT and Emerging Trends in Internal Audit

• Roberto shares personal and professional uses for ChatGPT, with mixed success. On the work front, he found AI’s audit predictions unsurprising: AI, organizational behavior, and geopolitical instability as key risks for 2026.
• Quote [03:20]:
  "Unsurprisingly, one of them was AI, of course... Also, organizational behavior… and geopolitical instability. Not shocking at all." — Roberto Zambelli

3. Understanding the IIA’s Topical Requirement

• The requirement is not mandatory, but is designed as a framework to guide auditors who choose to perform behavioral audits—either as standalone engagements or integrated into other audits ([06:13]).
• Topical requirements:
  • Aim to provide structure to historically subjective audit areas like culture.
  • Are especially useful in clarifying scope and offering case studies, including for smaller and non-financial sector organizations.
• Practical implementation is tricky; smaller audit teams may lack resources or organizational support.
• Quote [06:13]:
  "The topical requirement… is there to guide us as auditors… If you want to tackle this, this is a framework that is recommended. Not mandatory." — Roberto Zambelli

4. What Is a Behavioral Audit and Why Do One?

• Behavioral audits structure the assessment of alignment between organizational behaviors and formal policies, strategy, and reporting ([16:03]).
• The method helps identify unaligned “at risk” behaviors that could result in compliance, operational, or reputational failures.
• Insights go deeper than conventional audits by surfacing behavioral root causes rather than just procedural gaps.
• Quote [16:03]:
  “A behavioral audit is a useful tool to understand your culture in a bit more structured and organized way… Is there an alignment between what the organization is setting to achieve and the behaviors that are being promoted?” — Roberto Zambelli

5. How Does a Behavioral Audit Work in Practice?

• Example finding: Misaligned incentives—e.g., when short-term sales targets conflict with a stated goal of long-term customer satisfaction ([18:16]).
• Methods include:
  • Collection of quantitative data (e.g., policies, performance reports, metrics).
  • Gathering qualitative data (e.g., interviews, psychometric tests, observed behaviors in meetings).
• The process requires skill in "coding" and analyzing complex behavioral data.
• Quote [18:16]:
  “You pick up… behavioral drivers… qualitative and quantitative… and by analyzing those patterns you get to clear outcomes.” — Roberto Zambelli

6. Practical Barriers to adoption

• Not all teams can operationalize behavioral audits due to:
  • Scale (need for large data sets and specialist skills)
  • Resourcing (often require external consultants or new hires)
  • Board/management buy-in (may be perceived as non-essential or intrusive)
• Pilot audits that aren’t well-resourced risk producing superficial outcomes, decreasing credibility and future support ([22:40]).
• Quote [22:40]:
  “It needs scale and skills that not everybody has, and not everyone has the support or appetite to go get those skills…” — Roberto Zambelli

7. Keys to Making Behavioral Audits Effective

• Four levers needed for success ([27:10–31:53]):
  1. Institutional Weight: Regulatory or high-level support drives adoption (e.g., FCA push in UK financial services).
  2. Authority: Behavioral audit findings must have enough weight to trigger real change.
  3. Specialization: The shift from generalist auditors toward specialists—with investment in behavioral science skills.
  4. Standardization: The need for harmonized terminology and key risk indicators (KRIs) so organizations can benchmark and improve.
• Quote [30:30]:
  "Behavioral observations are very difficult to enforce. They come across, even backed by data, as a bit of a soft opinion..." — Roberto Zambelli

8. The Path Forward for Internal Audit

• The profession must move beyond "self-glorification" and work proactively to remain relevant by adopting innovations like behavioral audits ([32:20]).
• Action is needed now; waiting until 2035 is too late.
• Quote [32:20]:
  "We need to go out of our comfort zone and… get recognition from boards and shareholders. We need a little bit of a wake up call. All the ingredients are there, but we need to action now." — Roberto Zambelli

Notable Quotes and Memorable Moments

• On Naming DJs with ChatGPT [01:47–04:41]:
  Lighthearted banter about using AI to name Roberto’s daughter’s DJ persona shows both the limitations and promise of AI in personal and professional life.

  • “None of them passed the teenage scrutiny.” — Roberto Zambelli [02:22]

• On Resource Challenges [22:40]:
  “You're not a behavioral scientist because you've turned up one week ago and decided to become one. People have made careers out of it.”

• On the Risk of Irrelevance [32:20]: “We need a little bit of a wake-up call. All the ingredients are there, but we need to action now.”

Timestamps for Key Segments

• 00:00 — Roberto sets the stage for 2026 as a transformational year; risk of audit becoming irrelevant
• 03:20 — AI, organizational behavior, and geopolitics as top risks for audit in 2026
• 06:13 — IIA’s topical requirements explained; not mandatory, but useful frameworks
• 12:12 — Quick primer: What is a topical requirement; deep dive into the new guidance
• 16:03 — What behavioral audits are and their value
• 18:16 — Example findings and audit workflow
• 22:40 — Challenges in adoption: resources, skills, and board buy-in
• 27:10–31:53 — Four key levers for successful integration of behavioral audits; need for regulatory and internal drivers
• 32:20 — Roberto’s call to action for the audit community

Concluding Thoughts

Roberto underscores the urgency for internal audit to evolve and embrace new techniques like behavioral audits, echoing the IIA’s vision for the future of the profession. While most teams face initial barriers in resourcing and skills, those who invest in these capabilities will be better positioned to offer meaningful, actionable insights and remain relevant in a rapidly changing landscape.