Cybersecurity, digital disruption, geopolitical uncertainty and business resilience aren’t just buzzwords — they are the key, converging risks reshaping the future of internal audit. The latest Risk in Focus 2026 report from the Internal Audit Foundation makes one thing clear: these risks are accelerating, interconnected and demanding new approaches from audit leaders.
What are the driving forces behind these risks? How are they evolving, and what can internal audit do to stay ahead? In a world where the rate of change is outpacing governance, the risk environment grows more complex and the lead time to prepare is greatly reduced. Yet, internal audit teams can still deliver confidence, insight and impact by embracing modern, risk-based approaches and positioning themselves as proactive, strategic advisors to their organization.
1. Cybersecurity: A Fast-changing, Existential Business Risk
Heading into 2026, cybersecurity remains the most pressing risk for organizations, far outpacing other threats, as the risk is increasingly complex and intersects with most of the other key risks. The cybersecurity threat landscape is rapidly evolving as adversaries increasingly leverage generative AI to automate and scale attacks such as phishing and social engineering.
Organizations face cascading cybersecurity vulnerabilities through third-party vendors, cloud platforms and open-source components, making governance critical beyond the organization’s “four walls.” Cyber resilience now demands more than prevention — it requires the ability to withstand and recover from incidents through tested response plans, encrypted backups and clearly defined impact tolerances. Identity and access management has become the new security perimeter, yet weaknesses in authentication and privileged account controls persist.
Gaps in data governance, the growing complexity of global privacy and the localization of regulations further amplify these challenges. Together, these factors make cybersecurity an existential business risk, requiring continuous adaptation, integrated controls and proactive planning to protect against financial loss, litigation, reputational damage, operational paralysis and more.
Internal audit teams play a critical role in managing, mitigating and anticipating cybersecurity risk. These teams should focus efforts to:
- Verify backup and recovery capabilities
- Ensure a documented third-party risk management (TPRM) policy exists, and that it includes a process to vet high-risk vendors
- Maintain ongoing monitoring and incident response procedures
- Review incident response plans for clarity and cross-functional engagement
- Assess visibility into sub-vendors and concentration risks
- Confirm that critical services and outage tolerances are well defined
These practices will help organizations better withstand and recover from cyber incidents and avoid operational paralysis and reputational harm.
2. Digital Disruption and AI: Governance Is Lagging
Digital disruption risk is being driven by the rapid adoption of AI and automation, which is outpacing governance efforts and creating an assurance gap. Many organizations lack formal governance structure, risk appetites, cross-functional collaboration and monitoring standards, leaving them vulnerable to issues such as model drift, bias and unauthorized deployment.
Inadequate change management and “set-and-forget” automation practices further increase operational risk, while talent and skill gaps hinder the ability to implement and sustain digital initiatives securely. Together, these factors make digital disruption a strategic risk requiring robust governance, continuous monitoring and proactive internal audit oversight.
To address these emerging risks, internal audit should prioritize the following actions:
- Evaluate whether AI governance is clearly structured and aligned to standards (e.g., NIST AI Risk Management Framework, ISO 42001, EU AI Act)
- Determine whether controls are in place to protect sensitive data
- Confirm that a change management process is in place for AI tools and that an inventory of tools is documented
Internal audit teams should also focus on verifying AI tools and outputs to ensure reliability, explainability and compliance. Determine whether controls are in place to evaluate model reliability, drift, decision transparency and bias.
3. Geopolitical and Macroeconomic Uncertainty: Hard To Control, Difficult To Model
Geopolitical risk saw the largest one-year increase in the Risk in Focus report, jumping from 26% to 45% as a top concern among chief audit executives (CAEs). This category is inherently unpredictable, making proactive management challenging.
Examples of geopolitical risk include trade barriers, tariffs and sanctions. These factors can disrupt supply chains and increase the complexity of compliance efforts. Geopolitical factors can also lead to sudden policy changes, such as export controls that can significantly impact an organization’s operations and costs.
Rising geopolitical tensions also heighten the risk of cyber warfare targeting critical infrastructure and intellectual property. Together, these factors create a volatile environment where organizations must anticipate rapid regulatory shifts and develop contingency plans to maintain resilience.
To address these risks, internal audit teams should consider the following practices:
- Assess whether supply chain sourcing is resilient to trade barriers
- Review contingency plans for single-source dependencies
- Map and quantify the risk from tariff and relocation scenarios
- Confirm accuracy of tariff compliance, including accuracy of product classification, accounting and regulatory requirements
- Assess cyber and operational risks across the supply chain
4. Business Resilience: From Recovery to Anticipation
Business resilience is no longer about recovering from a single event, but anticipating and navigating multiple, simultaneous disruptions. Modern threats are often compound and systemic, in which a cyberattack, supplier failure and geopolitical shock can all occur together, amplifying their impact. High-speed digital transformation and deep reliance on external ecosystems introduce new points of failure, while weak governance and siloed scenario planning leave organizations vulnerable.
The growing complexity and interconnected nature of threats demand substantive scenario planning and modeling — shifting resilience from a reactive posture to a proactive, anticipatory process.
Internal audit teams can help strengthen resilience. They can:
- Testing compound scenario planning involving cyber, supply chain, geopolitical and other events
- Defining outage tolerances
- Ensuring resilience exercises engage all relevant business functions
- Confirming remediation processes are monitored across functions
How Cherry Bekaert Can Help
Ready to strengthen your internal audit function and stay ahead of emerging risks? Cherry Bekaert’s Internal Audit Services team can help you design a risk-based program that’s future-ready — whether co-sourced, outsourced or fully tailored to your needs. From cybersecurity and AI governance to regulatory compliance and resilience planning, we offer the knowledge and experience to help keep you confident and compliant.
Related Insights
