Benchmarking Survey Results: What’s on Your Audit Plan for 2026?

It’s January of a new year, which means you’ve probably done a good job understanding your organization’s top risks and building an audit plan that addresses them. 

So why would you spend your valuable time looking at what your peers are doing in 2026?

Loads of reasons. You can use audit plan benchmarking survey results as:

• A final litmus test for your audit plan, helping ensure effective coverage and prioritization of the risks that really matter.
• An opportunity to celebrate how your audit plan aligns with — or exceeds — peers’ plans. 
• A tool for communicating with your CFO or AC Chair about:
  
  • What your peers are doing — including any threats or opportunities your team may be missing in 2026. 
  • Whether your priorities make sense for the coming year.
  • Why effective audit coverage requires additional resources.

That’s exactly why the Internal Audit Collective kicked off its first-ever audit plan benchmarking survey in late 2025. It’s also why — with your participation! — we aim to provide periodic snapshots that help you better understand your team’s audit plan, priorities, and coverage in context.

Read on for a rundown of the top audit topics, key themes, and directional trends we identified in our 2025–2026 survey.

Survey Background and Raw Data

The Internal Audit Collective’s “What’s on your audit plan?” 2025–2026 benchmarking survey was completed by 91 Internal Audit leaders between October 30, 2025, and January 1, 2026. Respondents represented a wide range of industries and team sizes.

As always with Internal Audit Collective benchmarking surveys, it’s pay to play: Respondents who complete our surveys get exclusive access to the raw survey data, letting them hone in what’s most relevant for their unique needs. Survey participants, thank you again! (And if you DIDN’T participate but want access to the raw data, the conclusion of this article explains how you can get it.)

Top 20 Audit Areas for 2026

Looking past the top 20, the next most frequent audits for 2026 were as follows:

1. SOX Compliance (e.g., program assessment) — 35% of respondents
2. AI Regulation (e.g., EU AI Act) — 32% of respondents
3. Inventory — 32% of respondents
4. Business Continuity — 31% of respondents 
5. Treasury — 31% of respondents
6. Ethics & Hotline — 31% of respondents
7. Procurement Cards - P-card usage, approval controls — 27% of respondents
8. Period End Financial Reporting Process — 27% of respondents
9. Vendor/TPRM (e.g., lifecycle management, contract oversight) — 26% of respondents
10. Cloud Computing & Security — 23% of respondents
11. Third-Party IT Risk (e.g., SaaS vendor due diligence) — 23% of respondents

Comparing 2026 vs. 2025–2026 Coverage 

As our survey results reinforced, many teams rotate certain audits, performing them every other year. So in some cases, a two-year view can give us a more accurate overall picture of audit coverage. With that in mind, below is a summary view comparing 2026’s top audit topics with audit coverage across 2025–2026 (i.e., audits completed in 2025 AND audits planned for 2026). 

‍

Key 2026 Trends

High-Volume Teams

Top Audit Topics for 2026

For the 34 survey respondents planning 20 or more audit projects (considered “high-volume” teams, for our purposes) for 2026, technology governance, revenue operations, and compliance mandates dominate the landscape. Top 10 audit topics among these high-volume teams were:

1. Cybersecurity — 91% 
2. Identity & Access Management (IAM) — 68%
3. Procurement and Vendor Management — 62%
4. Third-Party Compliance — 59%
5. IT Operations — 59%
6. External Auditor Assistance — 50%
7. Change Management (IT) — 53%
8. Revenue Operations — 53%
9. Inventory — 53%
10. Fraud Risk Management — 50%
11. Data Governance — 50%
12. IT Project Delivery — 50%
13. Supply Chain — 50%
14. ERM — 47%
15. Corporate Compliance — 47%

Overview of Key Trends

Cybersecurity and IT risk dominate 2026 audit plans. High-volume teams are moving from more generic cybersecurity audits to include more specific tech governance and risk assessments. The surge in cybersecurity audits in particular is undoubtedly partly due to The Institute of Internal Auditors’ (IIA’s) mandatory Cybersecurity Topical Requirement, introduced in 2025.

Heavy third-party and vendor focus. High-volume teams are devoting significant resources to understanding risks across the extended enterprise, as shown by the high concentration of audits in traditional areas like third-party compliance and procurement and vendor management and more technical areas such as revenue operations, data governance, and IT project delivery. The latter focus areas also suggest a focus on more strategic, forward-looking reviews.

Shift to continuous assurance. High-volume teams are moving toward continuous monitoring in areas such as IAM and data governance, understanding that traditional point-in-time audits are insufficient for responding effectively to today’s highly volatile risk landscape.

ERM and corporate compliance = still core. Despite the technical bent of the majority of these high-volume audit plans, ERM and corporate compliance still appear in almost half of these plans.

Different-Sized Teams

Audit plans vary significantly based on team size. While cybersecurity is a top priority for teams of any size, other focus areas shift from foundational control reviews and basic organizational hygiene for small teams to more specialized operational and technical audits for larger teams.

Top Audit Topics for 2026

Overview of Key Trends

Audit specialization tends to increase along with team size. Small teams tend to act as generalists, focusing on controls and foundational financial cycles (e.g., AR) to ensure basic corporate hygiene. Larger teams are nearly twice as likely to tackle complex audits such as revenue operations and IAM. 

Cybersecurity is a universal priority. However, larger teams tend to have the resources to provide annual audit coverage in this area alongside more specialized IT- and security-focused audits.

AI governance reviews are gaining momentum across all teams — but large teams go deeper. While just under half of small- and mid-sized teams are performing Gen AI governance reviews, larger teams are often taking their analysis deeper, focusing on audits around IT project delivery and data privacy and protection compliance.

Third-party risk could be a blind spot for some smaller teams. While approximately three in five large teams are auditing third-party compliance and procurement and vendor management, fewer small and mid-sized teams are auditing these areas in 2026.

Mid-sized teams are maintaining a strong focus on bridging strategy and execution. These teams are leading in ERM audits and more likely to prioritize audits of external auditor assistance. 

Newly Added Audits for 2026

Across teams, when we analyze the audit topics that teams didn’t cover in 2025 but plan to cover in 2026, the most frequently added new audits included:

‍

1. Gen AI Governance Review — newly added for 28 teams. Suggests that while many teams began assessing and monitoring AI risk in 2025, AI assurance is a growing focus in 2026. (Look for our upcoming eBook for help in this area!)
2. AI Regulation (e.g., EU AI Act) — newly added for 23 teams 
3. Data Governance — newly added for 20 teams 
4. Business Continuity — newly added for 19 teams. Both mid-sized and large teams are adding this topic in 2026, reinforcing a broader trend of evaluating organizational resilience. 
5. Procurement and Vendor Management — newly added for 18 teams 
6. Third-Party Compliance — newly added for 18 teams 
7. IT Project Delivery — newly added for 17 teams 

Key Overall Themes and Directional Trends

1. IT and Cybersecurity Have Become Enterprise Risks

Today’s audit plans increasingly recognize how technology and data risks underpin and interconnect with financial, operational, compliance, and strategic enterprise risks. 

• Cybersecurity earns top billing. Cybersecurity is on 71% of 2026 and 80% of 2025–2026 audit plans. We also see a persistent focus on IAM (a remarkable 62% for 2025–2026).
• Reviewing IT operations and implementations is a priority in many organizations. In 2026 audit plans, 46% include IT operations audits, 44% include change management audits (e.g., SDLC, system changes, config control), and 41% include pre- or post-implementation reviews focused on IT project delivery. 
• Robust ongoing focus on data governance, privacy, and security. Data governance audits appear on 42% of 2026 audit plans (56% across 2025–2026), and data privacy/protection compliance audits on 37% of 2026 audit plans (44% across 2025–2026).
• Growing focus around AI. Unsurprisingly, AI topics have quickly risen into most organizations’ top 20: More audit plans include Gen AI governance reviews (42% in 2026 and 56% across 2025–2026) and AI regulatory compliance (32% in 2026 and 38% across 2025–2026). 

2. Third-Party/Vendor Risks Loom Ever Larger

Internal Auditors have become more clear-eyed about how events in their third-party and vendor ecosystems can have cascading impacts on their organizations. 

From data security weaknesses and AI usage to financial stability, regulatory compliance postures, carbon footprints, and beyond, our third-parties’ and vendors’ risks can quickly become our risks.  

Third-party/vendor risks are a near-term priority for most organizations: 64% of audit plans include at least one vendor or third-party audit in 2026. Specifically:

• Financial focus: Procurement and vendor management is included on more than half (51%) of 2026 audit plans and 65% of plans across 2025–2026.  
• Compliance focus: Third-party compliance is included on 44% of 2026 audit plans and 55% of plans across 2025–2026.  
• Operations focus: Vendor/TPRM (e.g., lifecycle management, contract oversight) is included on 26% of 2026 audit plans and 37% of plans across 2025–2026. In addition, supply chain audits are trending upward: 26% of audit plans include the topic in 2026, up from 19% in 2025.

3. Resilience Is a Growing Concern

It’s no longer enough to ensure that individual controls and processes are working or that a business continuity plan is in place.  

The question now: Are processes/controls working together and operating well under stress? 

Internal Audit teams appear to have learned a thing or two from the constant pace of disruptive, interconnected risk-induced change. Coverage is trending toward multidisciplinary audit strategies covering: 

• Core resilience functions such as business continuity (planned by 31% for 2026, up from 24% in 2025), disaster recovery, and crisis management are trending upward.
• IT infrastructure resilience, as seen in the consistent prioritization of cybersecurity and IT-related audits and a growing focus on topics such as cloud computing and security (on 34% of audit plans across 2025–2026). 
• Third-party/vendor oversight, viewing resilience through the lens of the extended enterprise with a robust ongoing focus on third-party/vendor risk topics as outlined above and newer topics such as third-party IT risk (on 30% of audit plans across 2025–2026).

4. Compliance Is Becoming More Complex

While compliance remains foundational, its scope is broadening and becoming more complex to align with the rapid pace of business and regulatory change.

Leading Internal Audit functions are moving beyond mere compliance, assessing readiness for potential regulatory changes on the horizon.

In addition, a growing number of Internal Audit teams are looking to evaluate the effectiveness and efficiency of their SOX programs. 

We see:

• A continued emphasis on core compliance. Many 2026 audit plans still feature topics such as corporate compliance (47%), data privacy and protection (37%), ethics/hotlines (31%), and fraud risk management and investigations (56%).
• Emerging compliance risks getting more attention. Audit plans often include topics of growing strategic importance to organizations — even as regulations and guidance around them are still developing. For example, respondents’ audit plans include:
  
  • AI regulation is on 32% of 2026 plans, up from 13% in 2025. This dovetails with the rise in Gen AI governance reviews, included on 42% of 2026 audit plans — up from 25% in 2025. 
  • ESG/sustainability is on 33% of audit plans across 2025–2026. 
  • Third-party IT risk is on 30% of audit plans across 2025–2026. 
• A rising number of SOX compliance program assessments, included in more than 35% of 2026 audit plans. Since I’ve been beating the “lean into SOX to improve your brand and increase your impact” drum for quite a while now, I’m encouraged to see that more Internal Audit teams are planning to do some soul searching in this area.

THE LAST WORD: Time to Dig Deeper

Several of these themes and trends make us want to dig deeper. 

So we will. 

We’re planning for this article to be the first in a five-part series — which admittedly could morph as we talk more about these ideas in the Internal Audit Collective — to include:

• Why does audit specialization tend to increase along with team size? What’s really causing it? Where are the exceptions and why? 
• Why are many Internal Audit teams still not placing a significant focus on the GTM activities (e.g., sales, marketing, innovation) that are core to so many modern businesses? I’ll schedule an upcoming roundtable to hone in on this question. 
• Are our audit plans truly focused on our organizations’ key risks? We’ll see how our results stack up to top-risk lists from Protiviti, the World Economic Forum, AuditBoard’s Focus on the Future, and other sources.
• What are some leading practices for pushing back on stakeholder resistance to specific audit topics? I’ll also schedule an upcoming roundtable to talk about this one. 

That’s how Priscilla, Heather, and I will be using this information in the short term. 

And for the rest of you, I’d recommend using this information to ask yourself:

1. How do these benchmarking results compare with your own audit plan? If you haven't yet presented on this year’s audit plan, perhaps there’s time to consider changes prompted by this data. If you have already presented and changes would have been proposed, perhaps you can share your recommended changes during your next audit committee meeting (and finally implement that dynamic audit plan you’ve always thought about).
2. Does your audit mirror what was done last year? If so, is there wiggle room to modify it to be inclusive of a new key or emerging risk? Or add a top audit project that has never been done before in your organization?
3. Regarding your peers’ top 10 audit projects, can you justify why those audit projects are not on your own 2026 plan? If not, is it worth considering adding any missing topics?
4. Do you want access to the raw survey data? Great! Take the survey yourself and get sent the raw data, enabling you to do your own deeper dive on industry-specific or other questions. We’ll keep the poll/option open as a benefit for our members. (Note: To improve the quality of our data and conclusions — and avoid giving Heather unnecessary headaches — please give simple numerical responses whenever possible.)

‍