The past year delivered no shortage of research reports and predictions about the future of internal audit. I applaud every effort to help the profession focus on what lies ahead. Foresight matters.

Yet each time I look toward the horizon, I return to the front lines. I listen to chief audit executives. I ask what keeps them awake at night. I focus on their ability to serve their organizations and meet rising stakeholders’ expectations.

Since 2021, I have conducted an annual survey on the strategic risks CAEs believe internal audit will face over the next five years. For the first three years, the results showed remarkable consistency. One risk stood above all others. The inability to recruit and retain the talent needed to deliver the mission.

As 2024 closed, the picture shifted. The profession was finally recognizing the seismic impact of AI. The top strategic risk became the inability to leverage AI to drive greater efficiency and productivity. The margin was not close.

This year, the gap widened even further.

More than 1,200 respondents participated in this year’s strategic risk survey. Their message is clear. The horizon is clouded. The risks are interconnected. The stakes are rising.

Below are the seven most significant strategic risks internal auditors see ahead. For each, I offer practical actions you can take now to strengthen resilience and demonstrate value. Pay particular attention to the top 3. They collectively garnered 70 percent of the responses.

1. Inability to leverage AI to drive greater internal audit efficiency and productivity

AI now sits at the center of internal audit’s future. Teams that fail to embrace its potential and move beyond pilots risk falling behind fast. Stakeholders already expect faster insights, broader coverage, and continuous assurance.

Mitigation actions you can take:

• Develop a clear AI adoption roadmap aligned to your audit plan and risk universe.
• Start with high value use cases such as risk assessment, audit planning, and data analysis.
• Partner with IT and data teams to ensure access to clean, reliable data.
• Establish governance, ethics, and model risk controls before scaling use.

Leveraging AI is no longer a leading practice. It is an existential imperative. Delay presents ominous risks.

2. Lack of expertise to provide assurance and advice on technology risks

Technology risks now dominate board agendas. Cyber threats, data privacy, AI governance, and third party technology risks are evolving faster than traditional audit skills.

Mitigation actions you can take:

• Conduct a skills inventory to identify gaps in cyber, data, and emerging technology risks.
• Invest in targeted training and certifications tied to your risk profile.
• Use co-sourcing strategically while building internal capability.
• Embed technology specialists into audits rather than isolating them.

You earn credibility when you speak fluently about the risks leaders fear most. You solidify internal audit’s value when you provide assurance and advice regarding those risks.

3. Inability to attract and retain talent

This risk isn’t about a shortage of traditional internal audit skills. The pressure to secure vital talent for internal audit centers around specialized skills such as cybersecurity, data analytics, AI and other technology expertise. The pressure is not abating. It is intensifying. Internal audit competes with business units in their own organizations, outside service providers, technology firms, and others that often offer clearer career paths and often better compensation.

Mitigation actions you can take:

• Redefine career models to emphasize mobility, learning, and purpose.
• Recruit for curiosity, critical thinking, and adaptability, not just credentials.
• Invest in continuous development, mentoring, and stretch assignments – particularly in developing technology skills.
• Use AI and analytics to reduce manual work that drives burnout.

People stay where they grow. Your culture matters as much as your compensation.

4. Inability to transition from value protection to value creation

Many stakeholders still see internal audit as focused on control and compliance. That perception limits influence and relevance.

Mitigation actions you can take:

• Align audit plans tightly to strategic objectives and enterprise risks.
• Frame findings in terms of impact, opportunity, and decision support.
• Engage earlier in major initiatives and transformations.
• Measure and communicate outcomes, not just issues closed.

You protect value by default. You earn trust by helping leaders create it.

5. Inability to identify emerging risks

The convergence of risk velocity and volatility is accelerating. Annual risk assessments struggle to keep pace with change.

Mitigation actions you can take:

• Shift from point in time assessments to continuous risk sensing.
• Use data analytics, external signals, and scenario analysis to spot change early.
• Build strong relationships with strategy, compliance, and operations leaders.
• Allocate flexible audit capacity to respond to new risks quickly.

Surprise is the enemy of relevance. Anticipation is your advantage.

6. Lack of coordination across the three lines

Silos persist across risk management, compliance, and internal audit. The result is duplication, gaps, and confusion for stakeholders.

Mitigation actions you can take:

• Clarify roles, responsibilities, and ownership of key risks.
• Align risk assessments, reporting, and assurance plans across functions.
• Share data, tools, and insights to reduce redundancy.
• Present a unified view of risk to executive management and the board.

Coordination improves coverage. Alignment improves confidence.

7. Inability to address critical risks

Resource constraints remain real. Expectations continue to rise. Many teams struggle to cover what matters most.

Mitigation actions you can take:

• Prioritize ruthlessly based on risk, not tradition.
• Reduce low value audits and automate routine assurance.
• Focus audit work on root causes and systemic issues.
• Communicate clearly what you can and cannot cover, and why.

Coverage is not the goal. Impact is.

What the Survey Results Mean

The results of this year’s survey are a clear reminder. We must seize control of our own future. The risks clouding the horizon are not abstract. They are operational. They are strategic. They are urgent.

Internal audit has never had greater opportunity to lead. But leadership requires action. It requires investment. It requires courage to change.

Your stakeholders are watching. The horizon is shifting. How you respond will define internal audit’s relevance for years to come.