Hot Audit Topics for 2026
Advisense recently hosted a webinar on hot audit topics to consider for 2026. The Institute of Internal Auditors (IIA) annually releases a report – Risk in Focus. The report compiles the results through a qualitative survey among Chief Audit Executives (CAEs) across 15 European countries with nearly nine hundred responders. The risk landscape has not changed much compared to last year, still very much influenced by the war in Ukraine, but the macro economical and geopolitical uncertainty has increased even more driving protectionism and changed behaviours. This causes big challenges in the supply chains, and we have seen increased risks of cyber cyber threats, sabotage and more. Adding to that, the development of AI further increases the risks for disruptive business models but also trust.
A changing environment
We are living in a world that is riskier and more uncertain than for many years. A state of crisis is nowadays a normality facing all types of organisations. The world is more digitally connected than ever before. As a result, there are multiple threats in the world, such as organised crime, nation-state actors, activism, hackers, and “hacktivism” – combining the words “hack” and “activism” which is an act of misusing a computer system or network for a socially or politically motivated reason.
The organised crime has transformed from bank robberies to cybercrime where new types of cybercrime are constantly emerging. It is a known fact that nation-state actors systematically carry out activities to obtain information from not only government authorities but also businesses that might possess valuable information or have a crucial role in the society. The aim is not only to obtain information but also creating uncertainty and mistrust towards organisations and society.
Different kind of activities to create disruptions, intrusion to publish sensitive information, information theft used to sell to competitors, and ransomware attacks (which has exploded in recent years), can cause great damage to the organization, and constitute severe reputational risk. As of today, it is not a matter of if an organization will be attacked with ransomware, it is more a matter of when it will happen. This increases the need for organizations to educate all employees as well as make sure you have proper processes in place to handle potential ransomware attacks.
The risk for climate change, biodiversity and environmental sustainability has made a huge jump backwards. This probably reflects that even though the climate change is still highly evident, other risks are currently higher for each organization.
So, what can we as internal auditors do? Well, given the risks and changes in the risk universe, Advisense has identified several areas that we find are relevant to consider in the upcoming audits for 2026.
Increased focus on strengthening resilience in critical societal functions
National security threats have increased dramatically for the past years and not only organisations close to the defence industry are affected, but so many more organisations. Assets need to be protected and readiness for an escalation of the war in nearby areas must be prepared for. Further, the technical development is also happening very fast with for example AI, block chains etc., which poses challenges in retaining a solid internal control and information security in the system environments. This in combination with increased criminality, antagonistic threats, sabotage and undue influence from parties controlled by other states, increases the requirements on protection measures and safeguards on all organisations.
Within the European Union several directives and regulations have been issued, all aimed to strengthen resilience in critical societal functions in society – NISII, CER, CRA, DORA etc.
Business continuity management and crisis management in critical societal functions
There is now more focus on protecting and strengthening resilience in critical societal functions than what has been the case for many years. According to MSB the most important areas to work on to strengthen the resilience in these functions are risk management, business continuity management, information and cyber security and incident management.
How do you know if your organisation has operations that constitute critical societal functions and therefore has critical societal operations?
MSB has produces a list of examples of critical societal functions that can serve as a guideline to see if your business might be a critical societal function. Government agencies with certain responsibilities to coordinate resilience within certain sectors are starting to publish further guidance. For example, the Swedish FSA recently published new planning guidelines for financial institutes which describes the goal for the contingency planning in the financial sector and aims at strengthening resilience in society (Planeringsinriktning för finansiella företag Dnr 25-30875).
To further investigate whether you have critical societal operations, MSB recommends performing a risk and vulnerability assessment.
One key activity to protect critical societal operations is to have robust business continuity plans (BCM) and crisis management in place. Even if it is already an area where internal audit spends much time and effort on, it is expected to continue to do so in the next couple of years, not the least because of the geopolitical situation.
Although crisis management and business continuity management are closely related, there are distinctions between them. For example, BCM is proactive while crisis management is reactive. Business continuity focuses on a set of plans and procedures to ensure that an organisation is resilient and able to recover. It involves planning for any potential major incidents or disaster by identifying potential threats and analysing their impact on the organisations day-to-day operations. Crisis management is complementary to business continuity and is the process of managing and dealing with a crisis.
We suggest this area to be audited, to secure that the organization has developed plans for crisis and continuity management which covers the most critical processes. It is important that the organizations have up-dated scenarios to work with. There is a huge difference between potential scenarios today than for five years ago. Most organizations also are dependent on external providers, both within the country but also abroad. This makes it more complex to ensure continuity and resilience in the business. Further it is common that the plans are not tested on a regular basis which can lead to problems not being detected and solved.
If you have not audited this area recently it is time to do it now.
Audit of compliance
In the financial sector there is a long history of strong focus on compliance. It is widely regulated to have a compliance function – a second line function – which seeks to ensure oversight of all regulations, educate in new or up-dated regulations and not the least to follow-up on the organisation compliance with regulations and report the result to the board.
In other sectors the three-line model has not been established, and you will find different ways of working with compliance. In the private sector, especially industrial companies, it is quite common to have one or more ISO-certifications. In this case compliance is monitored and followed up through second line internal audits. This is also the case for some parts of the public sector. In other parts it is often said that it is integrated in normal governance. What is common among these types of organisations is that there is no central compliance function, and follow-up and reporting of compliance issues are often fragmented och unstructured.
However, we see that also for organisations outside the financial sector, compliance risks are increasing since more regulations can lead to fines if you breach them.
As auditors we need to audit the processes that organisations, without specific compliance functions, have implemented measures to ensure regulatory compliance in all areas that do apply to them. How does the company ensure that major deviations, that can have a potential material impact on the company, are identified, assessed and handled? Is there clear guidance in place? Does the process provide management and board with a clear view of the major deviations and weaknesses and their potential impact on the organisation and outside the organisation?
IT and Cybersecurity
The results of the Risk in Focus survey confirms that cyber and data security remains the major source of risk within business. Even the other areas that are highest on the list (talent management, new technology and AI, changes in laws and regulations) are very much connected to the cybersecurity risks.
In the last decade many internal audit functions have focused on overall governance of information and cyber security, and in recent years there has also been some focus on security monitoring with the establishment of SOC (Security Operations Center) functions. In the coming years, we believe that the audits need to have more focus on how prepared the organization is to handle actual breaches and cyberattacks as well as managing the risks and opportunities that come with the use of AI.
New cyber-related laws and regulations will also continue to be important for internal audit functions to cover in their audit plans. Depending on the industry that the organization is working in it will be important to ensure compliance against regulations such as NIS2, CER, DORA, CRA and AI Act.
We believe that auditing AI and cyber security incident response are two important areas to consider in the audit plan for 2026.
Auditing AI
The use of artificial intelligence (AI) is increasing rapidly and offers great opportunities for efficiency, innovation and improved decision support. At the same time, technology entails new types of risks linked to, for example, data protection, transparency and ethical considerations. Lack of governance or insufficient control of AI systems can lead to wrong decisions, discrimination, loss of trust and legal consequences.
The purpose of an AI audit could be to evaluate whether AI is used responsibly, safely and legally, and to ensure that the benefits of the technology are utilized without compromising fundamental values such as legal certainty and privacy.
The audit could include (1) Review of the company’s governance and conditions for using AI tools, (2) Review of general internal controls for existing AI tools, and (3) Review of AI systems design and use.
The governance review could include an evaluation of governing documents, performed needs and cost analysis (where can AI generate the most value?), inventory and classifications, and management of legal and technical requirements.
The review of general internal controls for AI systems does not differ that much from other systems and should include access rights, change management, logging and monitoring, and incident management. Supplier controls also need to be evaluated in cases where external parties are involved in the development and maintenance of the model/system.
Lastly, if reviewing the design and use of existing AI systems the auditor should look at what data input and training data are used, evaluate risk of bias/discrimination based on existing data, identify decision points and transparency around decisions, evaluate ethics and fundamental rights and output controls (monitoring behavior and anomalies).
Auditing cybersecurity incident response
Businesses are increasingly affected by security breaches. Organized crime is increasing, and ransomware has become an established business model and is now sold as a standardized service. The question is not if, but when, the business will be exposed to a successful cyber-attack. Organization needs to have established processes and procedures in place to handle cybersecurity incidents, and this is an area that internal audit should focus on in the coming years.
We would recommend that the audit covers the following five areas. The governance structure (1) should be evaluated and there should be an incident management process with clear categorization and classification of incidents. Organization, responsibilities and mandates (2) is also important to evaluate. An incident response organization needs to be established with clearly designated roles and responsibilities with mandates to quickly handle and make decisions about the handling of different types of incidents.
Cyber Security Incident Response Plans (3) should also be evaluated. There should be separate plans for different types of scenarios and this needs to be coordinated with the business continuity and recovery plans. This should include agreed considerations for how to manage a potential ransomware attack. Dependence on third parties (4) is a crucial area to cover. Often there are clauses in contracts with suppliers that they must report incidents, but for critical suppliers, organizations need to go further than that to ensure that incidents are detected and reported in time.
Finally, awareness training and testing (5) are key activities to maintain plans and ability to manage cyber incidents in an efficient manner. Organizations need to continuously do both table exercises and actual tests of the ability to handle cyber incidents and restore operations. For critical suppliers, tests should be coordinated.
Anti-corruption
Internal audit plays a crucial role to protect organisations against fraud and corruption
Fraud is on the rise across the EU, and corruption is increasingly understood as a lever facilitating multiple forms of financial and organised crime in both the private and public sectors. Scandinavia is no exception. Alongside cyber-crime, information security and climate change, fraud and corruption prevention is high on the agenda. Not to mention anti-money laundering given the forthcoming regulation effective from July 2027.
Fraud and corruption translate into a wide range of risks to companies, from complex fraudulent invoicing schemes, linked to “crime as a service” offered by organised criminals, across sectors to large-scale insider scandals surfacing in for example Sweden. At the back of many of these issues, companies are facing direct economic damage over and above the legal and reputational risk.
Moreover, Sweden is preparing to implement a new anti-corruption law expected to take effect in January 2027. It is proposed that a dedicated category of “corruption offences” is introduced, in a separate section of the Penal Code for clearer regulation.
The offence of “negligent financing of a bribe” is expected to be replaced with “reckless financing of a corruption offence,” and the requirement for dual criminality in cases committed abroad is to be removed.
The reform also clarifies links between corruption and related crimes such as fraud, extortion, embezzlement, and breach of trust by adding new sub-headings and cross-references.
With the rise of fraud and corruption, companies are encouraged to make sure that risks associated with these issues are adequately addressed as part of their overall risk assessment and design preventive measures and controls accordingly.
In 2025 international internal audit standards went through major changes, including enhanced requirements on how conformance must be demonstrated. In practice, this means that internal auditors must show how they evaluate fraud and corruption risks in general as well as specifically in each audit.
This is usually done as part of the annual risk assessment but also in each audit. There are also high requirements on internal auditors to demonstrate the ability to identify issues that may be of particular sensitivity, with high integrity and ethical standards.
In fact, fraud and corruption is commonly detected by the internal audit function, external auditors. It is also often the case that corrupt activities are revealed thanks to whistleblowing.
Anti-corruption, meaning programs and frameworks to prevent, detect and handle corruption build on the same key approaches as you find in information security and anti-money laundering, that is risk-based, systematic, proactive and integrated approach. Some companies have worked proactively on their anti-corruption measures for some time, however the overall level of maturity does offer a clear potential for significant improvement.
In comparison to the global standard for information security management systems IOS27001, the standard for anti-bribery management systems ISO37001 is not yet widely utilised in Scandinavia. It offers a best practice and bench-marking tool for both public and private organisations. Moreover it is a globally recognized tool for performing audits, covering all fundamental aspects of a proper anti-fraud and corruption management system including risk assessment, governance, organization, roles and responsibilities, competence and communication, due diligence and controls, whistleblowing, investigations, monitoring, reporting and continuous improvement etc. As a systematic approach it also includes the internal audit function itself. The standard was updated during 2025, with clearer guidance on managing conflicts of interest, enhanced focus on compliance culture and introducing subclauses on climate change which is generally identified as an issue resulting from bribery and corruption.
