Stay connected: follow us on LinkedIn and explore more at
www.CherryHillAdvisory.com.
Lorem ipsum dolor sit amet consectetur interdum quam duis varius facilis.
Latest Blogs
No items found.
Follow Us
.svg){kind=small}
Every September, I talk with audit leaders facing the same challenge: how do we fit a year’s worth of risks into one audit plan?
The instinct is often to lean on the familiar. Financial controls. Operations. Maybe a nod to cyber. But if 2025 taught us anything, it’s that risks don’t sit still.
The IIA’s latest Risk in Focus 2026 report confirms what many of us already feel: cybersecurity is still the top concern globally, but it’s joined by fast-rising threats like AI, geopolitics, and talent. (IIA Risk in Focus 2026)
So instead of defaulting to last year’s plan, I recommend a playbook approach — one that ensures you’re covering what matters most now. Let’s walk through it.
Cybersecurity isn’t going anywhere; it remains the #1 risk for organizations. But here’s the uncomfortable truth: many firms are still tripping over the basics.
I’ve seen too many audit reports uncover dormant admin accounts, delayed patch cycles, and weak vendor oversight. These aren’t sophisticated zero-day attacks, they’re hygiene issues.
Audit’s role is to shine a light on those gaps. Are patches current? Are cloud configurations locked down? Do third parties meet your own security standards? And when the inevitable breach happens, has management tested their incident response in a live simulation, not just on paper?
The IIA now requires cybersecurity coverage under its new Cybersecurity Topical Requirement, a sign that this is no longer optional. (CrossCountry Consulting)
AI has gone from buzzword to boardroom in less than two years. But here’s the problem: governance hasn’t caught up.
When I ask companies, “Who owns AI oversight here?” the answers vary wildly. Some point to IT. Others to Risk. Too often, no one owns it.
That’s a red flag. Internal audit should be cataloging every AI or digital project underway, asking tough questions about privacy, data quality, and bias controls. Even if the scope is small, an “AI use” audit belongs in your 2026 plan.
The latest Risk in Focus 2026 shows digital disruption/AI jumping into the top three risks across Europe. (IFACI Report) That tells us this isn’t hype anymore; it’s reality.
Tariffs, sanctions, supply chain shocks. We’ve learned how fast the global chessboard can shift.
Too many mid-market firms assume continuity plans will “just work” if disruption hits. But when I run tabletop exercises: walking through what happens if a key vendor in a high-risk region goes offline, the gaps show up quickly.
Audit has a role here: test the resilience of supply chains, check contingency funding, and pressure-test escalation protocols. It’s about making sure crisis management isn’t just a binder on a shelf.
The compliance environment for 2026 is only getting more complex. Data privacy laws, ESG reporting requirements, and industry-specific rules are multiplying.
Audit shouldn’t just check boxes after the fact. Ask: How is the business tracking regulatory change? Is board oversight real, or performative? And are ESG disclosures actually validated before they reach the public?
Too often, firms find compliance gaps only when regulators come knocking. Building “compliance readiness” into your audit cycle is non-negotiable.
If there’s one theme I’ve seen repeat, it’s this: continuity plans don’t fail in writing. They fail in execution.
Audit should verify that recovery objectives are realistic, systems like ERP and cloud apps are included in testing, and lessons learned from past disruptions are actually applied. Resilience is about proving plans work under stress, not about filing them away for the next exam.
Every risk area comes back to people. Yet human capital audits remain the exception, not the rule.
Risk in Focus 2026 highlights talent as one of the fastest-rising risks. (IFACI Report) But most plans still don’t cover succession gaps, culture risks, or turnover trends.
Auditors can add real value here by looking at onboarding, training effectiveness, and even ethics culture. Small audits in this space often surface some of the most impactful findings.
If your plan doesn’t cover a top risk, the audit committee will ask: “Why not?”
Don’t wait for that uncomfortable moment. Map your risk assessment to your audit plan. If something is uncovered, document why. If resources are tight, propose an advisory review instead of ignoring it.
Coverage maps are now expected — and they’re a powerful way to show how audit is aligned with strategy.
The best audit plans don’t look perfect in January. They evolve as risks evolve.
For 2026, focus on the fundamentals: cyber, governance, compliance, while carving out room for emerging challenges like AI and talent. And always keep capacity to flex mid-year.
I’ll leave you with this: Which of these risk areas do you feel is most under-covered in your organization today; and why?
Every September, I talk with audit leaders facing the same challenge: how do we fit a year’s worth of risks into one audit plan?
The instinct is often to lean on the familiar. Financial controls. Operations. Maybe a nod to cyber. But if 2025 taught us anything, it’s that risks don’t sit still.
The IIA’s latest Risk in Focus 2026 report confirms what many of us already feel: cybersecurity is still the top concern globally, but it’s joined by fast-rising threats like AI, geopolitics, and talent. (IIA Risk in Focus 2026)
So instead of defaulting to last year’s plan, I recommend a playbook approach — one that ensures you’re covering what matters most now. Let’s walk through it.
Cybersecurity isn’t going anywhere; it remains the #1 risk for organizations. But here’s the uncomfortable truth: many firms are still tripping over the basics.
I’ve seen too many audit reports uncover dormant admin accounts, delayed patch cycles, and weak vendor oversight. These aren’t sophisticated zero-day attacks, they’re hygiene issues.
Audit’s role is to shine a light on those gaps. Are patches current? Are cloud configurations locked down? Do third parties meet your own security standards? And when the inevitable breach happens, has management tested their incident response in a live simulation, not just on paper?
The IIA now requires cybersecurity coverage under its new Cybersecurity Topical Requirement, a sign that this is no longer optional. (CrossCountry Consulting)
AI has gone from buzzword to boardroom in less than two years. But here’s the problem: governance hasn’t caught up.
When I ask companies, “Who owns AI oversight here?” the answers vary wildly. Some point to IT. Others to Risk. Too often, no one owns it.
That’s a red flag. Internal audit should be cataloging every AI or digital project underway, asking tough questions about privacy, data quality, and bias controls. Even if the scope is small, an “AI use” audit belongs in your 2026 plan.
The latest Risk in Focus 2026 shows digital disruption/AI jumping into the top three risks across Europe. (IFACI Report) That tells us this isn’t hype anymore; it’s reality.
Tariffs, sanctions, supply chain shocks. We’ve learned how fast the global chessboard can shift.
Too many mid-market firms assume continuity plans will “just work” if disruption hits. But when I run tabletop exercises: walking through what happens if a key vendor in a high-risk region goes offline, the gaps show up quickly.
Audit has a role here: test the resilience of supply chains, check contingency funding, and pressure-test escalation protocols. It’s about making sure crisis management isn’t just a binder on a shelf.
The compliance environment for 2026 is only getting more complex. Data privacy laws, ESG reporting requirements, and industry-specific rules are multiplying.
Audit shouldn’t just check boxes after the fact. Ask: How is the business tracking regulatory change? Is board oversight real, or performative? And are ESG disclosures actually validated before they reach the public?
Too often, firms find compliance gaps only when regulators come knocking. Building “compliance readiness” into your audit cycle is non-negotiable.
If there’s one theme I’ve seen repeat, it’s this: continuity plans don’t fail in writing. They fail in execution.
Audit should verify that recovery objectives are realistic, systems like ERP and cloud apps are included in testing, and lessons learned from past disruptions are actually applied. Resilience is about proving plans work under stress, not about filing them away for the next exam.
Every risk area comes back to people. Yet human capital audits remain the exception, not the rule.
Risk in Focus 2026 highlights talent as one of the fastest-rising risks. (IFACI Report) But most plans still don’t cover succession gaps, culture risks, or turnover trends.
Auditors can add real value here by looking at onboarding, training effectiveness, and even ethics culture. Small audits in this space often surface some of the most impactful findings.
If your plan doesn’t cover a top risk, the audit committee will ask: “Why not?”
Don’t wait for that uncomfortable moment. Map your risk assessment to your audit plan. If something is uncovered, document why. If resources are tight, propose an advisory review instead of ignoring it.
Coverage maps are now expected — and they’re a powerful way to show how audit is aligned with strategy.
The best audit plans don’t look perfect in January. They evolve as risks evolve.
For 2026, focus on the fundamentals: cyber, governance, compliance, while carving out room for emerging challenges like AI and talent. And always keep capacity to flex mid-year.
I’ll leave you with this: Which of these risk areas do you feel is most under-covered in your organization today; and why?
