This year has brought a plethora of research reports and predictions on the future of internal audit. I applaud all who strive to help internal audit professionals focus on the road ahead. But each time I look to the horizon, I am guided by the views from the front lines. What is keeping chief audit executives awake at night when it comes to their teams’ ability to serve their organizations and deliver on stakeholder expectations.

Since 2021, I have surveyed annually on the strategic risks CAEs believe their organizations will face in the coming five years. The consistency of answers in the first three years was remarkable. The top strategic risk – by a wide margin – was the potential “inability of internal audit departments to recruit and retain the talent” necessary to serve their organizations.

So, when I launched my latest survey last month, I anticipated similar results. I couldn’t have been more wrong. Much to my surprise (and relief, frankly), most CAEs now see the No. 1 strategic risk as an inability to leverage AI to drive greater internal audit efficiency and productivity – and it isn’t even close.

A year ago, only 36% of survey respondents said the inability to leverage AI was a strategic risk for their internal audit teams – ranking it fourth. This year, more than 60% put it on top, above not only talent risk, but also ahead of an inability to identify emerging risks and an inability to leverage non-AI technology risks (which ranked higher a year ago).

Potentially signaling a heightened awareness of looming strategic risks, the response rate to this year’s survey was more than 25% greater than a year ago. These respondents weighed in from every region of the world, with almost 70% from outside North America.

Two new strategic risks debuted in the top 7: a lack of coordination across the three lines (connected risk), and the potential inability to transform from value protection to value creation. They bumped an inability to effectively leverage non-AI technology and stakeholder audit/oversight fatigue.

Let’s take a deeper look at each of the top 7 strategic risks facing internal audit in the next five years.

1. An Inability to Leverage AI to Drive Greater Internal Audit Efficiency/Productivity

Given the rapid proliferation of AI over the past two years, and the slow rate of adoption by many internal audit functions, it was only a matter of time before this became a significant strategic risk. As I noted in AuditBoard’s recently published 2025 Focus on the Future Report, almost half of all internal audit functions admit to having made no effort toward implementing generative AI in any part of their work. I further noted that only 4% of internal audit functions report substantial progress in implementing generative AI in any area. Fewer than 1 in 10 report any progress in using AI to develop the annual internal audit plan, and about 1 in 5 report the same for engagement planning, reporting engagement results, fieldwork, or risk assessment. 

While the number of internal audit functions reporting any progress in implementing AI doubled from last year’s AuditBoard report, that gain does not impress upon closer examination: The increase went from 9% to a mere 21% implementation in engagement planning. More alarming than the slow rate of AI adoption is the apparent limited understanding of AI’s potential use by internal auditors. Only 27% of AuditBoard survey respondents indicated that they “have a clear understanding of the major uses of AI.”

Surprisingly, only 13% of respondents believed that AI assuming some or all of their mission is a top 3 strategic risk, but that optimism may be displaced given the acknowledged gap in understanding AI’s potential. I have been saying for almost two years that I do not believe AI will replace internal auditors. But I do believe internal auditors who do not effectively use AI will be replaced by those who do.

2. An Inability to Attract and Retain Talent

Internal audit talent risks have registered near the top of every pertinent survey since COVID. Given its evolution and the increasing volatility and complexity of risks, internal audit functions need a unique mix of technical, analytical and interpersonal skills, spanning areas such as risk management, compliance, IT and data analytics.

In many organizations, internal audit is viewed as a steppingstone to other roles, making retention difficult. Without competitive compensation, clear career paths and opportunities for professional development, CAEs find it difficult to hold onto highly talented individuals striving for better opportunities.

3. A Lack of IT Expertise

Cybersecurity and other technologies have soared to the top of many organizations’ risk portfolios. Focus on the Future revealed that, not only were cybersecurity and data security top risks facing organizations overall, they topped internal audit’s focus, as well. In fact, 82% of CAEs rated this risk as “very high” or “higher than average” for their organizations in 2025, versus 81% in the 2024 report and 83% in 2023.

The ability to audit cybersecurity and other IT risks requires specialized skills that (as noted above) are difficult to attract and retain. Given that technology risks are almost certain to remain critical in the second half of the 2020s, it’s no wonder that technology expertise retains such a prominent spot on the list of strategic risks facing the profession.

4. An Inability to Address Emerging Risks

The first half of the 2020s has been characterized by an unprecedented convergence of risk velocity and volatility. Challenges such as the global pandemic, a sudden onset of severe inflation and fierce geopolitical conflicts seemingly materialized overnight and wrought extraordinary destruction of value for many companies.

This era of permacrisis is unlikely to abate. That’s why the future success of internal auditors, and the organizations they serve, will likely be directly linked to their ability to identify and prepare for emerging risks – before they arrive.  

5. A Lack of Coordination across the Three Lines (connected risk)

The fact that this strategic risk made it into the top 7 should not be a surprise. It was the topic of my recently published book, Connected Risk: Conquering the Perilous Risk Exposure Gap. As I noted in the book, “In the era of permacrisis, our risk management platforms are burning. As with any burning platform, we need fire extinguishers in a hurry. Connected risk not only helps us navigate the smoke-induced uncertainty engulfing our organizations, but also positions us for the value creation essential for ensuring their future prosperity.”

If internal auditors, their second-line counterparts and management all remain firmly ensconced in their respective silos, the future for many organizations will be bleak. Given the prominence of this strategic risk on the list, it sounds like many CAEs finally agree.

6. An Inability to Transition from Value Protection to Value Creation

Internal audit historically focused on helping organizations to protect value: ensuring controls would be well designed and implemented. Yet, organizations do not exist simply to protect the value they possess. They exist to create value.

As The IIA’s recently adopted “Purpose Statement” for internal auditing reflects: “Internal auditing strengthens the organization’s ability to create, protect, and sustain value by providing the board and management with independent, risk-based, and objective assurance, advice, insight, and foresight.” Yet, many CAEs struggle to convince their key stakeholders that internal audit has the skills and abilities beyond those needed for value protection.

This strategic risk is new to the top 7, but I suspect it will remain there for years to come.

7. An Inability To Address Critical Risks

An inability to address critical risks moved from sixth to seventh on the list, but it is an evergreen strategic risk that strikes at the heart of any internal audit function’s long-term success. For, if we are looking at the wrong risks, we are unlikely to have the right answers for our organizations. And that failure often leads to “the five scariest words in the English language”: Where were the internal auditors?

This year’s list of strategic risks offered surprises not only from those risks at the top, but also from those that ranked low. Less than 10% of those surveyed ranked the following options among their top three strategic risks in the next five years:

• An inability to effectively leverage non-AI technology (6.6%)
• An inability to comply with new IIA standards (4.27%)
• A de-emphasis of regulatory requirements impacting resources (1.42%)

We’ll see whether the optimism regarding those strategic risks is well-placed. Regardless, there are plenty of things to focus on from the risks that made the list. It’s time to get to work!