Rising risks, shifting priorities: What the IIA’s Risk in Focus 2026 report means for internal audit

For the past decade, one of the most anticipated internal audit thought leadership events each year has been the release of The IIA’s Risk in Focus Report. It typically provides the first glimpse of the risks and priorities internal auditors will need to address in the upcoming year. The report always delivers critical insights at a time when audit plans are being drafted for the year ahead, and the 2026 report is no exception.

Drawing on more than 4,000 survey responses and dozens of roundtables worldwide, the 2026 Risk in Focus Report identifies where risks are intensifying and how internal audit is aligning its priorities for the year ahead

For North America, the story is one of volatility, which carries important implications for chief audit executives (CAEs) as they prepare for 2026 and beyond.

Key takeaways from the 2026 Risk in Focus Report

Geopolitical risks spike in North America

In one of the most dramatic shifts in survey history, 45% of North American respondents listed geopolitical uncertainty among the top 5 risks their organizations face, up from just 26% the prior year. That 19-point jump was the largest single-year increase for any risk in any region.

The drivers are clear. Rapid U.S. policy changes, new tariffs, and cuts in federal funding are reshaping business conditions across industries. Sectors like manufacturing, energy, and agriculture face particular exposure. Internal auditors report being pulled into strategic planning and supply chain reviews as organizations scramble to adjust.

Globally, geopolitical concerns rose as well, though not as sharply. The global average increased 9 points, highlighting that this is not just a North American phenomenon but a worldwide reality.

Cybersecurity retains the top spot

For North America, cybersecurity remains the highest-rated risk, cited by 86% of respondents among their top 5. That is 13 percentage points higher than the global average. The rapid adoption of generative AI has only intensified the threat, with cybercriminals exploiting AI tools to scale attacks.

The IIA has responded with its new Cybersecurity Topical Requirement, setting a minimum baseline for auditing cybersecurity governance, controls, and resilience. Beginning in 2026, CAEs will need to ensure their functions are aligned with this guidance.

Digital disruption and AI create new fault lines

The second major storyline is digital disruption. More than half (53%) of North American respondents identified it among the top 5 risks, up 17 points in two years. This exceeds the global average of 48%.

The rapid proliferation of AI is the primary source of this disruption. Organizations are racing to harness AI for efficiency and growth, while simultaneously confronting risks in bias, privacy, and security. Some organizations are mandating AI adoption, even tying it to employee performance evaluations. Others remain cautious, restricting usage to narrow applications.

For internal auditors, this presents dual challenges:

• Providing assurance over AI governance and risk management.
• Leveraging AI tools themselves to increase audit efficiency.

The report notes that many CAEs are joining AI governance councils, while others are experimenting with AI for drafting reports, analyzing data, and even engaging stakeholders. But governance remains immature, and assurance frameworks are still evolving.

Audit priorities lag behind risks

One of the familiar insights in Risk in Focus 2026 is the persistent gap between risk levels and internal audit priorities.

• In North America, geopolitical risk outpaced audit attention by 35 percentage points.
• Human capital risk showed a 27-point gap.
• Digital disruption trailed by 10 points.

These gaps reveal a fundamental challenge: not all risks lend themselves to traditional audit coverage. Geopolitical uncertainty, for example, lacks defined processes and controls. Still, CAEs must find creative ways to address such risks through advisory reviews, scenario planning, and resilience testing.

Globally, similar gaps exist, though generally narrower than in North America.

5 imperatives for CAEs in 2026

The findings point to five clear imperatives for CAEs as they prepare for 2026:

1. Elevate geopolitical risk awareness

• Develop audit plans that account for tariff volatility, supply chain disruption, and funding shifts.
• Partner with ERM and strategy teams to provide assurance over resilience plans.

2. Strengthen cyber assurance

• Align with The IIA’s Cybersecurity Topical Requirement.
• Test not only technical controls but also governance and talent strategies for managing cyber threats.

3. Prioritize engagement on AI governance

• Push for internal audit representation on AI councils.
• Audit AI workflows, data integrity, and model validation.
• Educate boards on hidden risks, including “out of sight, out of mind” automation.

4. Close the risk-audit gap

• Use flexible approaches, such as advisory reviews, scenario analyses, and real-time assurance, to cover areas like geopolitical uncertainty and human capital.
• Re-examine resource allocation to ensure emerging risks do not go unaddressed.

5. Communicate strategically with stakeholders

• Do not assume boards or executives will turn to internal audit when risk environments shift.
• Initiate conversations about how internal audit can provide assurance and insight in uncertain times.
• Deliver concise, timely intelligence that demonstrates value beyond compliance.

A defining year ahead

The Risk in Focus 2026 report clearly illustrates that internal audit faces its most complex risk landscape since the pandemic. Yet the challenge is also an opportunity.

For CAEs, 2026 will test their ability to be both a source of assurance and advisors on strategy. Cybersecurity, AI, and geopolitics will demand constant attention. Audit plans must be agile, and audit leaders must be bold in redefining their role.

The coming year is not just about keeping up with change. It is about shaping how organizations perceive and use internal audit in an era of extraordinary volatility. I encourage you to read the full report as you prepare your 2026 internal audit plan.

About the authors

Richard Chambers, CIA, CRMA, CFE, CGAP, is the CEO of Richard F. Chambers & Associates, a global advisory firm for internal audit professionals, and also serves as Senior Advisor, Risk and Audit at AuditBoard. Previously, he served for over a decade as the president and CEO of The Institute of Internal Auditors (IIA). Connect with Richard on LinkedIn.