Summary
Highlights
The Institute of Internal Auditors presents an episode discussing the top three risks from the 2026 North American Risk and Focus Report: geopolitical uncertainty, digital disruption, and cybersecurity. Deborah Puian and Brian Trembley delve into the reasons behind these rising risks, effective auditing approaches for complex areas, and how to use the report to engage with leadership.
Geopolitical and macroeconomic uncertainty saw a significant increase in risk levels in North America, with 45% of respondents identifying it as a top five risk. However, it was rarely among the top five areas for time and effort spent by chief audit executives (CAEs). Internal audit can address this by assessing organizational resilience, impact on supply chains, and liaising with enterprise risk management functions.
Digital disruption, including AI, has seen a steady rise as a significant risk, with over half of CAEs identifying it as a top five risk. Audit priority for this area is also increasing. Brian emphasizes that while technology is fascinating, its core lies in lines of code, and basic technology audit principles like access and change control remain crucial. Internal audit needs to deeply understand new technologies and help organizations be vigilant in assessing risks and opportunities, rather than merely adopting new software because it's novel.
Cybersecurity remains the highest-rated risk in North America, with 86% of CAEs identifying it as a top five risk and 78% spending significant time on it. AI and other disruptive technologies enhance both cyber defenses and attack vectors. The recent first AI-native cyber attack highlights the critical need for robust basic controls, patch and vulnerability management, and incident response planning within organizations and their third-party networks. Internal audit needs to move beyond mere assessments to deeply understand technology and its associated risks.
To effectively address these complex and evolving risks, internal audit must commit to a deeper understanding, going beyond surface-level assessments. This involves gaining technical expertise, either within the team or by leveraging external resources, to strategically evaluate the impact of these risks on the organization as a whole. The IIA's Risk and Focus reports are valuable tools for starting these crucial conversations with stakeholders.