Thematic priorities for internal audit in 2026

Geopolitical volatility remains a defining feature of the global risk landscape. The rise of regionalism, the decline of multilateralism, and the proliferation of grey-zone threats, such as cyber sabotage, disinformation campaigns, and infrastructure attacks, are reshaping global alliances, trade flows, and supply chain dependencies. Political transitions across major economies, including the EU, UK and US, are driving regulatory divergence and uncertainty, while emerging coalitions and alternative governance models challenge the traditional Western-led order.

Internal audit should assess how geopolitical risks are identified, monitored and integrated into enterprise risk management frameworks. This includes evaluating the effectiveness of horizon scanning, scenario planning, and stress testing capabilities, as well as the agility of governance structures to respond to external shocks. Assurance should extend to the resilience of critical third parties, the robustness of contingency planning, and the organisation’s ability to adapt to shifting regulatory and economic conditions across jurisdictions.

Following the implementation deadlines for DORA and UK resilience regimes, regulators now expect firms to embed operational resilience into business-as-usual activities. This marks a shift from compliance-driven programmes to strategic resilience capabilities that support continuity, adaptability and long-term sustainability. The focus is now on maturity, integration and continuous improvement.

Internal audit should assess the design and operating effectiveness of resilience frameworks, including business continuity planning, ICT recovery strategies, and crisis response protocols. Assurance should cover the quality of management information, the sophistication of resilience testing (including threat-led penetration testing), and the alignment of resilience activities with broader risk and change management programmes. Internal audit must also evaluate how resilience is embedded into outsourcing arrangements, product development, and strategic initiatives, ensuring that resilience is treated as a core business capability rather than a regulatory obligation.

Third-party risk continues to escalate as organisations deepen their reliance on outsourcing, cloud services, and digital ecosystems. This dependency is amplified by geopolitical fragmentation, economic volatility, and increasingly complex global supply chains. Regulatory scrutiny is intensifying, with frameworks such as DORA, PRA SS2/21, and the UK’s Critical Third Party regime requiring firms to demonstrate robust governance, resilience, and accountability across their extended enterprise. These developments reflect a shift from transactional vendor management to strategic oversight of critical service providers.

Beyond operational and financial considerations, organisations must now address data sovereignty, cross-border compliance, and ESG-related risks within their supply chains. Stakeholders expect transparency on ethical sourcing, environmental impact, and human rights practices, while regulators demand evidence of due diligence and continuous monitoring. The integration of AI-driven tools and automation into supply chain operations introduces additional risks around algorithmic bias, cyber vulnerabilities, and regulatory compliance.

Internal audit should evaluate the maturity and effectiveness of third-party governance frameworks, including onboarding, due diligence, contract terms, and performance monitoring. Assurance should extend to resilience testing of critical suppliers, oversight of subcontractors, and integration of ESG and AI risk considerations. Internal audit must also review contingency planning, supplier diversification strategies, and the organisation’s ability to respond to disruptions, ensuring resilience is embedded as a strategic capability rather than a compliance exercise.

The skills required for internal audit are evolving rapidly. The adoption of GenAI, advanced analytics, and agile assurance methodologies is reshaping the profession, demanding new capabilities and mindsets. At the same time, organisations face persistent challenges in attracting and retaining talent, with hybrid working arrangements, DE&I expectations, and employee value propositions under increasing scrutiny.

Internal audit should assess workforce planning, talent acquisition strategies, and upskilling initiatives across the organisation. This includes evaluating the organisation’s readiness for AI adoption, the maturity of behavioural risk frameworks, and the effectiveness of staff engagement mechanisms such as surveys, feedback loops, and cultural assessments. Assurance should also cover succession planning, leadership development, and the alignment of workforce strategies with long-term business objectives and regulatory expectations.

Sustainability reporting and climate risk management are entering a new phase of maturity and regulatory scrutiny. The UK Sustainability Reporting Standards (UK SRS), CSRD, and ISSB frameworks are driving convergence and increased assurance expectations. Organisations are expected to produce credible transition plans, integrate climate risks into financial planning, and demonstrate alignment with net zero commitments.

Internal audit should assess the governance, data quality, and control frameworks underpinning ESG reporting and climate risk management. This includes reviewing CSRD readiness, the integration of climate risks into ORSA, ILAAP (where relevant) and strategic planning, and the effectiveness of sustainability data governance. Assurance should also extend to stakeholder engagement, ESG risk registers, and the alignment of ESG initiatives with broader organisational strategy and regulatory requirements.

Cyber threats continue to evolve in scale, sophistication and impact. AI-powered attacks, ransomware, and supply chain vulnerabilities are now commonplace, with attackers leveraging automation, deepfakes and behavioural analytics to bypass traditional defences. The IIA’s Cyber Topical Requirement, effective February 2026, introduces a new baseline for cyber assurance, requiring internal audit functions to assess governance, risk management and control effectiveness across the cyber domain.

Internal audit should evaluate the maturity of cyber security programmes, including threat detection capabilities, incident response plans, and alignment with recognised frameworks such as NIST and COBIT. Assurance should cover phishing simulation results, privileged access management, vulnerability management, and the integration of cyber risk into strategic planning. Internal audit must also assess compliance with the IIA requirements, including documentation, applicability assessments, and evidence of conformance.

AI is now a foundational technology, with agentic and generative systems introducing new risks around autonomy, ethics, and accountability. The EU AI Act and UK regulatory developments are setting clearer expectations for responsible AI use, including transparency, explainability, and human oversight.

Internal audit should assess AI governance frameworks, model risk management practices, and regulatory readiness. This includes evaluating the inventory of AI systems, decision boundaries, training data quality, and the effectiveness of human-in-the-loop safeguards. Assurance should also extend to third-party AI tools, ethical risk assessments, and the organisation’s internal audit capability to audit AI use cases across the lifecycle, from planning and testing to reporting and continuous monitoring.

Data remains a strategic asset, but poor governance creates significant risk. The UK Data Use and Access Act (DUAA), GDPR, and AI regulations are reshaping data compliance requirements, with increased expectations around transparency, traceability and accountability.

Internal audit should assess the design and operating effectiveness of data governance frameworks, privacy controls, and data resilience strategies. This includes evaluating metadata standards, lineage mapping, dark data risks, and the integration of data risk into the enterprise risk management framework. Assurance should also cover third-party data access, staff awareness and training, and the organisation’s ability to respond to regulatory changes and data breach incidents.

Cloud adoption and digital transformation continue to accelerate, but bring new risks around cost optimisation, resilience, and compliance. ESG considerations and geopolitical tensions are also impacting cloud strategies, with increased scrutiny around data sovereignty, vendor lock-in, and supply chain resilience.

Internal audit should assess cloud governance frameworks, cost management practices, and the resilience of cloud supply chains. This includes evaluating vendor diversification strategies, contract terms, incident response capabilities, and alignment with evolving regulations such as NIS2 and the UK Cyber Security and Resilience Bill. Assurance should also extend to ESG integration, data privacy controls, and the effectiveness of cloud sustainability initiatives.