Bridging the gap: Why having a strategic audit function is critical right now
This article originally appeared in our November 6 edition of the Diligent Minute Newsletter. For more insights like these, delivered straight to your inbox, subscribe here.
Cyber threats, AI disruption, and geopolitical instability are
reshaping the audit landscape — and 4,000 audit leaders across
131 countries have weighed in. Whether you’re on the internal
audit team, serving on your board’s audit committee, or working in
partnership with them, the IIA’s 2026 Global Risk in Focus report
has insights for you. This year’s edition reveals the key risk areas
to focus on and highlights how risk is changing across regions and
sectors (with tips on how to achieve compliance with updated
internal audit standards).
2026 Global Risk in Focus: Top risks for internal audit (Cybersecurity, AI, Geopolitics)
1.Cybersecurity remains the number one concern for
organizations worldwide, with 73% of respondents
naming it a top five risk. The threat is especially
pronounced in North America and Europe, where more
than 80% of organizations put it at the top of their list.
2.Digital disruption, including the rapid adoption of AI,
has seen the second largest jump in perceived risk with
an increase of 9 percentage points year-over-year.
Organizations are racing to implement new technologies,
but many are running into infrastructure and skills gaps.
3.Geopolitical uncertainty leapt 10 percentage points
globally, now ranking sixth overall. North America saw the
sharpest spike (up 19 points), driven by shifting U.S. trade
policies and global conflicts.
4.Business resilience (47%) and human capital (43%)
round out the top global risks. Organizations are feeling
the pressure to shore up supply chains and crisis response
capabilities. Meanwhile, talent shortages, wage
competition, and generational shifts keep human capital
risk firmly on the agenda.
One standout: Regulatory change (41%) is closely linked to
geopolitical risk. Where political uncertainty is high, regulatory
challenges follow.
How audit committees can close the risk-to-audit gap
I asked Curtis Warfield, experienced public company director,
Audit Committee Chair, and former Chief Audit Executive, his
thoughts on bridging the risk-to-audit gap. He outlined five steps:
1.Address key barriers
“As an Audit Chair, I see the gaps as driven by limited
expertise in emerging areas like AI and digital disruption,
audits taking longer than planned, and the need to balance
enterprise-wide coverage with limited resources.” says
Warfield.
“It’s a risk–reward trade-off,” he goes on. “Sometimes
management also has major deliverables in progress,
which limits timing for audits. Audit committees can help
by understanding these constraints, supporting skills
development, and encouraging dynamic adjustments to
the plan when new or fast-moving risks emerge.”
2.Align with emerging technology risks
“Internal audit should not just police — it should partner,”
says Warfield. “The key is alignment with senior leadership
so internal audit can help ensure technology risks are
managed without slowing innovation.”
He adds, “Audit leaders should focus on being strategic
partners, not just reviewers, and work closely with the
business to embed technology risk considerations into
transformation projects from the start.”
3. Engage on strategic risks
Audit committees add the most value when they
understand the process behind the audit plan. “Members
should take time to learn how the ERM process connects to
strategy and how audit allocates time across the risk
profile,” advises Warfield. “That understanding makes it
easier to have meaningful dialogue about priorities.
Regular communication and progress updates help keep
the plan dynamic and aligned with emerging risks.”
4.Support advisory work while maintaining independence
“Tone at the top is critical,” Warfield emphasizes. “The
audit committee and board chair can reinforce that internal
audit’s role is not to police management, but to be a
strategic partner while maintaining independence. It’s a
delicate balance — audit must still provide objective
assurance, but it can also offer valuable advisory input on
AI governance, risk frameworks, or scenario planning.
Clear boundaries and communication make both roles
possible.”
5.Build an agile, forward-looking partnership
Agility starts with alignment. “Everyone should understand
the audit process, how it ties to enterprise risk and strategy,
and how resources are deployed,” says Warfield. “The audit
committee should be willing to adjust its agenda
throughout the year for new risks and ensure flexibility in
hours and resources to respond to change. That’s how
audit and the board can stay proactive and effective in
uncertain environments.”
Looking to stay ahead of the curve on audit governance? Check
out the IIA’s new Center for Audit Committee Leadership. The
Center offers audit committee members tailored strategic advice,
best practices, and educational resources to help ensure internal
audit functions are effectively structured and integrated within
your organization’s governance framework.
Related resources
Cybersecurity, Audit and the Board
Diligent Institute and Bitsight analyzed public company board structures to better understand board oversight of cyber risk.
Charting the geopolitical risk landscape
Tina Fordham, Founder of Fordham Global Foresight, shares insights on the geopolitical landscape and risk mitigation.
Enterprise risk management framework
Discover what enterprise risk management (ERM) is, why it matters and how it helps organizations reduce risk while driving long-term value.
