Four risks dominating board agendas in 2026 and how internal audit teams should frame them

Cybersecurity is still the top organizational risk worldwide. But the four risks clustered just below it have shifted significantly year-on-year and many internal audit functions have not adjusted their board reporting to match. That misalignment is a problem.

Risk in Focus 2026, the IIA's flagship annual research initiative, surveyed more than 4,000 Chief Audit Executives across 131 countries. The data reveals a clear set of priorities dominating board agendas heading into 2026 and an equally clear gap between those priorities and where internal audit spends most of its time.

This article breaks down the four internal audit risks for 2026 that matter most to boards right now and offers a practical framing approach for each.

The board-audit disconnect: why framing matters as much as findings

Before getting into each risk, the underlying issue is worth addressing. According to Risk in Focus 2026, there is a persistent gap between what boards identify as top risks and the areas where internal audit focuses its effort.

Risk area	Board risk ranking	Audit effort ranking
Cybersecurity and data security	1st (73%)	1st (69%)
Digital disruption and AI	2nd (48%)	8th
Human capital and talent	4th (43%)	9th
Geopolitical uncertainty	5th (North America)	14th (North America)

Digital disruption is the second-highest risk but only eighth for audit effort. Human capital is fourth but ninth. Geopolitical uncertainty spiked 19 percentage points year-on-year in North America yet ranked 14th for audit priority.

Some of these gaps have legitimate explanations. Geopolitical risk is difficult to audit directly and many organizations lack mature processes in areas like human capital governance. But the result is the same: when internal audit presents findings on areas that are not top-of-mind for the board, the conversation feels misaligned.

The fix is not always changing what you audit. Sometimes it is changing how you frame what you already know.

Cybersecurity risk: move past the jargon

Cybersecurity remains the number one organizational risk globally at 73%. In North America, that figure reaches 86%. The threat continues to evolve rapidly. Risk in Focus 2026 roundtable participants reported firsthand experiences with AI-generated fake IDs, deepfake-enabled fraud and increasingly convincing phishing campaigns.

How to frame it for the audit committee: Board members do not need a breakdown of firewall configurations or patch management cycles. They need to understand three things: which systems are most critical to operations, what the financial and reputational exposure of a breach would be and whether incident response capabilities match the current threat landscape.

The IIA's Cybersecurity Topical Requirement, published in February 2025, provides a useful structure covering governance, risk management and controls. It gives internal audit a framework for board reporting that translates technical risk into business language.

AI and digital disruption risk: governance is still a greenfield

Digital disruption including AI jumped to the second-highest global risk in 2026, cited by 48% of respondents. In North America, 53% ranked it as a top five risk. In Europe, 58% of CAEs predicted it would be a top five priority within three years.

Organizations are assembling AI governance teams and CAEs are increasingly being included. But governance frameworks remain immature. One financial services CAE in the North America research described AI governance as a "greenfield" for internal audit.

How to frame it for the audit committee: Present both opportunity and risk. The board needs clarity on whether the organization has a defined AI strategy, who holds accountability for AI governance, what controls exist around data quality and algorithmic bias and whether vendor contracts allow flexibility as the technology evolves.

One European CAE offered a useful mental model: treat generative AI like a super-smart intern that requires constant supervision. It looks smarter than it actually is.

Geopolitical and macroeconomic uncertainty: make it specific to your organization

This risk spiked dramatically in 2026, rising 19 percentage points year-on-year in North America. It now sits alongside business resilience and regulatory change as a top five risk in most regions.

The impacts are already being felt. Organizations are reassessing supply chains, expanding inventory of critical materials and re-evaluating market exposure. At one international clothing retailer cited in the research, geopolitical uncertainty became a top enterprise risk and internal audit stepped up its advisory work to keep management informed about tariffs and military actions affecting suppliers.

At a Wisconsin-based utility company, Audit Manager Andrea Klubertanz described in the research how her team shifted away from routine audits and started reviewing risks in construction, procurement and strategic resource alliances. The reason was straightforward: that is what their stakeholders and audit committee wanted to see.

How to frame it for the audit committee: Generic geopolitical commentary is not useful to a board. What is useful is mapping how specific shifts translate into operational and financial risk for your organization. Supply chain dependencies, currency exposures and regulatory divergence across key markets are concrete starting points. Internal audit can also add value by testing whether decision-making processes are free from groupthink and whether contingency plans have been stress-tested.

Human capital and talent risk: the biggest gap in audit coverage

Human capital risk ranked fourth globally at 43% and was the second-highest risk in Europe. Yet the gap between risk rating and audit effort is the widest of any category. In North America, there is a 27 percentage point difference.

The concerns span AI-driven deskilling, talent retention, remote work governance and the absence of strategic workforce planning. Several CAEs in the Risk in Focus 2026 research noted that their organizations lacked top-level ownership of human capital risk and that HR planning focused mainly on short-term headcount rather than long-term strategic needs.

A CAE from a financial institution in the Netherlands put it directly: internal audit should be able to judge how well the talent strategy of the board matches the organizational vision and act as a sparring partner to provide constructive challenge.

How to frame it for the audit committee: This is the risk where internal audit can add the most immediate advisory value. Help the board understand whether the talent strategy aligns with broader strategic objectives, whether AI implementation plans account for workforce impacts and whether governance structures exist to manage human capital risk at the enterprise level. Where formal plans and processes are lacking, providing advisory services is the most effective way to demonstrate value.

Connecting the dots is the real job

You do not need to be a subject matter expert in all four areas. The role of internal audit is to connect the dots between these risks and the organization's strategy and to make sure the board has the information it needs to make sound decisions.

The CAEs making the biggest impact in the Risk in Focus 2026 research share one trait: they stopped waiting to be asked and started showing up with answers. They lead with business impact, not audit methodology. They frame findings around strategic risk, not control deficiencies. And they treat every audit committee meeting as an opportunity to demonstrate that internal audit is a strategic partner, not a compliance checkbox.

For the full picture on closing the gap between board priorities and audit effort, Ideagen's guide, Bridging the gap: How Internal Audit teams can have more productive conversations with the board, covers the complete framework.

Sources: Risk in Focus 2026, North America (IIA/Internal Audit Foundation, 2025); Risk in Focus 2026, Europe (ECIIA, 2025).