The new Risk in Focus 2026 report is out. Coordinated by ECIIA with 14 European Institutes of Internal Auditors across 15 countries, this 10th-anniversary edition draws on 879 CAE responses, 5 roundtables with 44 participants, and 10 in-depth interviews to map the key challenges and where internal audit is spending (and will spend) its time.
Key findings
Cybersecurity and data security remain the top organisational risk. 82% of CAEs rated it their most important threat, and 72% say it is where internal audit currently spends the most time; CAEs also expect it to stay number one in three years. Post-quantum readiness is beginning to feature in audit scopes.
Human capital, diversity, talent management and retention holds second place again in 2026. Yet it ranks lower for internal audit effort today, signalling a gap between perceived risk and audit coverage.
Digital disruption, new technologies and AI rises to third place (up from 4th in 2025). 58% of CAEs expect it to be a top-five focus area for internal audit within three years, second only to cybersecurity.
Macroeconomic and geopolitical uncertainty sits joint 4th with changes in laws and regulations, with CAEs highlighting its knock-on effects across other risk categories (trade, compliance, cyber, AI).
Climate change, biodiversity and environmental sustainability falls to 10th in this year’s ranking. Only 24% of CAEs expect it to be a top-five area of audit focus by 2029 (down from 40% last year), reflecting policy and regulatory uncertainty despite worsening climate impacts.
Across the survey, the top four risks beneath cybersecurity are now tightly clustered (≈45–48%), underlining how interconnected they’ve become and why boards need agile assurance and advice.