For more than 25 years, internal audit standards have been clear: the internal audit plan must be driven by risks facing the internal auditors’ organizations. That mandate has guided our profession through the peaks and valleys of the 21^st century. In the permacrisis era of the 2020s, it is more critical than ever.

The world is volatile. Political shifts, AI disruption, and economic uncertainty are converging. For internal auditors, this means one thing: risk must remain our North Star.

For centuries, sailors relied on the North Star to navigate safely across uncertain seas. It was steady. It never moved. It gave direction when everything else shifted. For internal auditors, risks certainly change, but the need to focus on those risks is that same constant. Strategies evolve. Technology transforms how we work. Organizations restructure. But risk — the threat to achieving objectives — always drives where we must go.

When risk is your North Star, you know where to focus, even when disruption clouds the horizon. This truth holds whether you are auditing cybersecurity, supply chains, or new AI-driven processes. Ignore risk, and you drift into irrelevance. Follow risk, and you remain a vital oversight resource in your organization’s system of risk management and controls.

A Sharper View of the Risk Horizon

The Internal Audit Foundation’s Global 2026 Risk in Focus report provides an early projections of the risks expected to keep organizations’ executives awake at night—and where CAEs anticipate their internal audit plans will be focused. The findings reveal a stark message: risks are evolving more rapidly than audit priorities are shifting to meet them.

The top seven risks facing organizations globally are expected to be:

1. Cybersecurity
2. Digital disruption, including AI
3. Business resilience
4. Human capital
5. Regulatory change
6. Geopolitical and macroeconomic uncertainty
7. Financial and liquidity

These numbers tell a story. Geopolitical uncertainty surged when compared to the prior year’s survey. Digital disruption climbed rapidly due to generative AI’s impact. Cybersecurity remains the undisputed top risk, eclipsing the next closest risk by 25%.

Where Internal Audit Expects to Focus in 2026

The same report identified where internal audit functions expect to spend most of their time globally in 2026. The top seven priorities are:

1. Cybersecurity
2. Governance and corporate reporting
3. Business resilience
4. Regulatory change
5. Financial liquidity
6. Fraud
7. Supply chain (including third parties)

These priorities overlap with key risks, but not perfectly. For example, geopolitical risk ranks sixth among enterprise risks, yet it doesn’t appear among the top 7 audit priorities (in fact, it came in 14^th!). Human capital risk also ranks high in perceived risk but much lower in audit coverage. Meanwhile, governance and reporting does not appear among the top 7 risks but ranks 2^nd in anticipated audit priorities. These gaps deserve scrutiny.

The Challenge of Staying Risk-Aligned

When the internal audit plan diverges from the organization’s top risks, the reasons must be clearly understood and articulated. Sometimes the cause is structural—certain risks, like geopolitical uncertainty, lack auditable processes or controls. Other times, it’s resource-driven—a shortage of skills, technology, or bandwidth to address emerging risks such as AI governance.

But whatever the reason, the Chief Audit Executive (CAE) must strive to ensure the plan reflects the most material threats to the enterprise. The IIA Standards require it. Boards and executive teams expect it. And stakeholders count on it.

Following the North Star: Risk

Risk-driven planning is not a compliance exercise. It is the compass that keeps internal audit relevant. If we lose sight of that, we drift.

To ensure risk remains the North Star, CAEs should:

• Start with the enterprise risk assessment. The audit plan should be anchored to it to the extent possible. Review it in depth and understand the assumptions behind it.
• Challenge outdated perceptions. Ask whether the risk assessment fully reflects new realities—AI governance, geopolitical volatility, supply chain fragility, or talent shortages.
• Align priorities with velocity and impact. Some risks emerge and evolve overnight. Weight your plan toward those with the highest potential to disrupt operations, not just those easiest to audit.
• Be transparent about gaps. When resources or expertise limit your ability to audit high-risk areas, discuss it openly with the audit committee and management. Explain what coverage is possible, what is deferred, and why.
• Collaborate across assurance functions. Coordinate with risk management, compliance, and IT security to ensure all major risks are covered somewhere in the assurance map.
• Monitor continuously. Risks can shift between quarters. Use rolling risk assessments and agile planning to recalibrate audit priorities in real time.
• Invest in emerging skills. Build AI fluency, geopolitical awareness, and data analytics capability. The profession cannot follow risk if it cannot understand it.

The 2026 Imperative

The Risk in Focus 2026 data shows a world in flux. Geopolitical risk has reemerged as a major concern, driven by trade disputes, tariff changes, and policy shifts. Digital disruption has accelerated as AI transforms business models and internal controls alike. Meanwhile, cybersecurity threats continue to multiply, with Microsoft reporting more than 7,000 password attacks per second globally in 2024.

Internal audit cannot afford to lag behind this reality. Functions that cling to static plans or outdated risk views risk irrelevance. Boards want forward-looking assurance and insight. They need internal audit to illuminate blind spots and help navigate uncertainty.

When Plans and Risks Diverge

Every CAE will eventually face a moment when the audit plan does not fully align with the risk assessment. The response in that moment defines leadership.

Here’s what I recommend doing:

1. Acknowledge the gap. Don’t rationalize it away.
2. Document your rationale. Explain whether the gap is due to resource constraints, timing, or limitations in auditable processes.
3. Engage stakeholders early. Hold a transparent discussion with the audit committee and management. Clarify how other functions may be addressing uncovered risks.
4. Offer alternatives. Suggest advisory work, risk reviews, or co-sourced engagements to provide partial assurance.
5. Update continuously. In the 2020s, risks change rapidly. Maintain a continuous focus on risks and update the plan as needed. Annual and periodic risk assessments are an outdated strategy to facilitate risk-driven auditing.
6. Report with candor. When presenting the annual audit plan, highlight both alignment and misalignment. Boards value honesty over false precision.

When internal audit leaders proactively address these gaps, they build credibility. When they ignore them, they invite questions about relevance.

Risk-Based Planning in the Permacrisis Era

The 2020s have been defined by volatility. Geopolitical shifts. Economic shocks. Rapid technological disruption. Environmental and social turbulence. For internal audit, these are not passing trends—they are the “new normal.”

That is why risk must be internal audit’s North Star in 2026 and beyond. It guides every decision, every engagement, every plan. When we follow it, we ensure our work matters. When we lose sight of it, we become spectators instead of stewards.

Internal audit cannot control the winds of change. But by steering toward risk, we can help our organizations stay on course.