As organizations enter 2026, they continue to face an environment defined by persistent uncertainty. Multiple challenges lie ahead, from advances in artificial intelligence (AI) to evolving regulatory requirements, demanding heightened agility and oversight. The complexity of the current risk landscape presents not only challenges but also opportunities for organizations to prepare, adapt, and even get ahead. In this context, the Internal Audit Function (IAF) plays a crucial role in helping organizations turn uncertainty into informed and proactive action.
Through this article, KPMG outlines the key risk areas that may matter across your organization and recommends embedding them in your dynamic audit plan: one that integrates emerging risks while acknowledging that established threats remain highly relevant. Our aim is to provide audit functions with a clear overview of these evolving risks, along with practical considerations for how teams can respond effectively. Although the list of risks presented is not exhaustive, it offers a strong foundation from which audit functions can assess their organization’s risk profile and control environment in the period ahead.
Key risks for Internal Audit in 2026
Translating the risk landscape into practical internal audit priorities requires focusing on areas where risk exposure is high and assurance adds the most value. While priorities differ by industry and organizational context, audit functions should concentrate on the most significant risks without losing sight of broader developments. With this in mind, we highlight three macro factors that should shape internal audit priorities in 2026.
External pressures
Organizations operate in an increasingly interconnected environment where geopolitical tensions, economic uncertainty, regulatory change, and environmental risks converge, making external pressures more frequent and unpredictable. To remain resilient, organizations need agile and forward-looking risk management. In this context, internal audit should focus on external factors that can rapidly disrupt operations, strategy, and compliance. Key external pressure areas include:
Third-party relations and supply chain
Growing reliance on complex and globalized supply chains increases exposure to disruption:
- Geopolitical developments, regulatory divergence, and supplier concentration can amplify operational and compliance risks.
- Limited transparency across extended supply chains may obscure emerging vulnerabilities.
Volatile regulatory requirements
The regulatory landscape continues to expand and evolve, often across multiple jurisdictions:
- Overlapping, fast-changing, or ambiguous requirements increase compliance complexity and execution risk.
- Heightened scrutiny of governance and disclosure expectations, reinforced by new regulatory initiatives (e.g., EU Pay Transparency Directive, Critical Entities Resilience (CER) Directive, AI Act, and corporate governance codes), increases reputational and accountability risks as documentation and reporting requirements expand.
Economic and geopolitical volatility
Persistent global instability continues to affect markets, costs, and strategic assumptions.
- Energy and commodity price fluctuations, inflationary pressures, rising taxes and customs tariffs, and geopolitical conflict tensions challenge organization’s financial planning and resilience.
- Strategic decisions may be based on assumptions that no longer reflect external realities.
The role of internal audit
To incorporate these external pressures into the audit plan, internal audit can:
• Integrate geopolitical, economic, and regulatory factors into internal audit risk assessments and audit scoping.
• Review crisis and continuity preparedness to determine organizational resilience to respond to sudden external shocks.
• Evaluate third-party risk management practices, including monitoring of geopolitical and regulatory exposure across the supply chain.
• Assess regulatory readiness by reviewing governance, legal watch, change-management, horizon scanning, and stakeholder engagement processes.
• Assess whether strategic and resilience planning sufficiently incorporates external risks that could threaten the continuity of critical activities.
Operational challenges
Organizations face growing operational pressures driven by economic instability, rising cost pressures, and evolving workforce dynamics. These pressures increase execution risk across the operating model and require robust strategies to safeguard efficiency, resilience, and performance. Against this backdrop, internal audit should prioritize areas where operational vulnerabilities could undermine strategic objectives or financial sustainability. Key operational challenge areas include:
Profitability, inflation, and liquidity
Persistent inflation, interest rate volatility, and margin pressure heighten the risk of weakened financial resilience and constrained liquidity:
- Cost structures and pricing models may become misaligned with economic conditions.
- Liquidity buffers and funding assumptions may be insufficient under adverse scenarios.
Operational resilience
Disruptive events are becoming more frequent and complex, with impacts amplified by operational and digital interdependencies:
- Business continuity and crisis management arrangements may not fully reflect severe but plausible disruption scenarios.
- Dependence on IT systems, third parties, and shared services can create single points of failure.
Human capital and culture
Labor market constraints and changing ways of working are reshaping workforce risk:
- Talent shortages, hybrid working models, and AI-driven role changes can affect capacity, skills, and productivity.
- Misalignment between culture, incentives, and strategic priorities may weaken operational execution.
The role of internal audit
To address operational challenges effectively, internal audit can:
• Evaluate financial resilience by assessing controls around profitability, cost management, and liquidity planning.
• Review operational resilience through targeted reviews of business continuity, crisis management, and IT recovery capabilities, including the management of key interdependencies.
• Assess workforce management and culture initiatives to determine whether human capital strategies support current and future operational needs.
• Challenge whether operational controls, resources, and monitoring arrangements are sufficient to deliver strategic and performance objectives under stressed conditions.
Technology
Rapid technological change continues to reshape industries, introducing both significant opportunities and heightened risks. Digital transformation, the rapid adoption of emerging technologies, and escalating cyber threats create a complex landscape in which internal audit must provide targeted and informed assurance over technology-related risks. The most relevant risk areas include:
AI and emerging technologies
The adoption of AI and other emerging technologies introduces new ethical, regulatory, and operational challenges:
- Unclear accountability, insufficient governance, or immature risk management may lead to unintended outcomes or regulatory scrutiny.
- Rapid innovation combined with decentralized system ownership, development and procurement can outpace established governance and control frameworks.
Digital transformation and cloud adoption
Large-scale digital initiatives and cloud migrations increase dependency on complex, interconnected and third-party-managed technology environments:
- Weak program governance or inadequate integration can limit value realization.
- Inconsistent security and data management practices may undermine system resilience and trust.
- High dependency on cloud providers and limited flexibility to switch or exit can jeopardize operational resilience and compliance requirements.
Cybersecurity
Cyber threats continue to intensify in scale, sophistication, and impact, with an expanding target landscape affecting organizations across all sectors.
- Ransomware, state-sponsored attacks, and vulnerabilities in legacy systems increase the risk of prolonged disruption.
- Inadequate detection, response, or recovery capabilities can significantly amplify operational, financial, and reputational damage, particularly in light of enhanced cyber resilience expectations under NIS2 and DORA.
The role of internal audit
To effectively incorporate technology risks into the audit plan, consider the following actions:
• Review technology and AI governance to determine whether oversight structures, policies, and accountability mechanisms are fit for purpose.
• Assess digital transformation and cloud initiatives by evaluating program governance, system integration, and change-management practices.
• Strengthen cybersecurity assurance through testing of threat detection, incident response, and recovery capabilities.
• Evaluate data governance and cloud security to confirm alignment with regulatory requirements and the organization’s risk appetite.
How can KPMG help?
Effectively managing risks is essential to maintaining organizational resilience in an increasingly complex environment. KPMG supports your internal audit function by strengthening your internal audit methodology, and by translating risk landscapes into focused, executable audit plans aligned with current regulatory expectations and professional standards.
KPMG also provides hands-on support in the execution of audits by mobilizing multidisciplinary subject-matter experts across key risk domains such as governance, finance, IT and cyber, cloud and AI, regulatory compliance, and operational resilience. These specialists work alongside our internal audit teams to deliver targeted assurance, practical insights, and actionable recommendations throughout the audit process.
Through the targeted use of data analytics, technology-enabled audit techniques and proven digital tools, KPMG helps internal audit functions improve efficiency, insight, and overall assurance value.
Authors:
An Vanderhulst, Principal & Michiel Thijs, Manager Advisor
Explore
Connect with us
- Find office locations kpmg.findOfficeLocations
- kpmg.emailUs
- Social media @ KPMG kpmg.socialMedia