With increased margin pressures, expectations escalating for Internal Audit to do more with less, and the amount of change, volatility, and uncertainty in the world, now is a good time for Internal Audit leaders to hit pause, make sure their audit plans are meeting the moment, and recalibrate. 

To do so, consider these five ways to focus and direct resources to improve your 2026 audit plan.

#1: Include an AI Governance Review

Include AI governance in 2026. Without it, you’re already behind the eight ball. Using — and more effectively governing — Gen AI across the enterprise is one of the most common goals for organizations operating today. 

Just completed an AI governance review? Doesn’t matter. 

With how fast AI moves, it’s already time for a refresh. Plus, AI governance reviews invariably uncover opportunities for ancillary projects. 

The State of Internal Audit With SOX Responsibilities benchmarking survey found that 42% of self-assessing high-value Internal Audit teams planned to provide assurance or advisory services related to their organizations’ Gen AI use in 2025, compared to only 19% of self-assessing low-value teams, 

In 2026, with fast-increasing use of agentic AI is compounding organizations’ risks, we must do better.

That’s why the Internal Audit Collective is putting a huge emphasis on creating how-to guidance for AI governance. Coming soon: A playbook — authored by collective members — outlining six ways Internal Audit can provide assurance over organizations’ use of AI. 

#2: Don’t Just Audit “Cybersecurity” — Get Specific

While cybersecurity has long been a top risk, most CAEs still suffice with overly broad cyber risk assessments that fail to provide real assurance. 

2026 is the year you’ll up your game. 

Instead of adding cybersecurity as a general audit-plan line item, you’ll identify and propose detailed audit projects targeting the specific risks that really matter to your organization. 

How do I know? 

Because David Malcom — a former Big Four IT auditor, Internal Audit VP, and CISO and current cybersecurity consultant — shared his 6-step blueprint for building a better cybersecurity audit playbook. It details how to run a risk assessment that helps you categorize and prioritize specific audits that actually matter (e.g., user access reviews, vulnerability management, SDLC). 

You don’t have to be a cyber expert to get it right. You only need to understand process — which you already do. 

#3: Audit Go-to-Market Activities

How does your organization identify and acquire new customers, or grow relationships with existing ones? What processes help you generate, evaluate, fund, and develop new products and services? 

Go-to-market and innovation activities are vital, impacting revenue, competitive advantage, quality, and more. They’re deeply relevant to performance and strategy, often dominant among companies’ primary business objectives.

But Internal Audit doesn’t often audit them.

So, how can you do an audit that helps ensure your organization is getting the most bang for its buck, not missing opportunities, and providing the right support in these areas? Add it to your plan in 2026. 

Example projects include:

• Go-to-market: Adherence to sales processes, cross-selling, partner sales, new product roll-outs, content marketing, lead generation.
• Product/innovation: Innovation pipeline/portfolio management processes, R&D effectiveness, product development lifecycle, cross-functional collaboration, IP protection.

You may be surprised by how eager sales, marketing, product, and innovation teams are for insights on how they can improve. 

But you won’t be surprised when the C-Suite is impressed, or when your Internal Audit team really enjoys digging into these new audits.

#4: Ensure Solid Alignment With Top Risks

If your audit plan addresses less than 50% of your top ERM risks, aim higher. Try for at least 60-70% alignment. 

Our benchmarking survey found that 78% of self-assessing high-value Internal Audit teams have 50% or more of their audit plan addressing their top 20 risks.

If alignment is difficult this year because of the routine, non-negotiable work expected in your plan, consider using 2026 to carve out future bandwidth. Look to leverage automation to continuously audit processes such as Procurement, Payroll, HR, and Pcards, instead of reperforming them every year from scratch. 

#5: Propose Only 75% of 2025’s Audit Load — Reserving 25% for These 3 Things

How many audits did you do in 2025? Whatever the number, propose 75% of it for 2026 (e.g., if you did 80 audits in 2025, plan 60 in 2026). 

Why? Because it’s urgent to ensure that your team has sufficient bandwidth for three key activities.

1. Learn How to Use Gen AI in Internal Audit

Figure out how your team can use Gen AI to make Internal Audit and SOX activities better (e.g., increased efficiency, effectiveness, productivity, value, coverage, transparency). 

If we don’t know how to use AI in our own projects, how can we have credibility advising the business on its use of AI? 

In short order, our organizations are going to expect us to make recommendations and even provide assurance over the business’ use of AI. So:

• Get started already, proactively developing your AI skills/knowledge. Look for upcoming eBooks (authored by Internal Audit Collective members!) with ready-to-deploy AI use cases, governance best practices, and more. 
• Hold your team accountable not only for using AI themselves, but for making recommendations to the business on its use of AI. Create/track metrics in both areas.  

2. Lean Into Improving SOX 

If you have SOX responsibilities, make 2026 the year you lean into making SOX the best it can be. 

Reviewing the data from The State of Internal Audit With SOX Responsibilities, a hypothesis emerged: Taking proactive action on six specific maturity and impact enablers — controls rationalization, External Auditor reliance, GRC tech optimization, data analytics, audit plan alignment, and foundational audit infrastructure — helps teams improve their reputations, gain stakeholder trust, expand their relationships/purview, and ultimately earn trusted-advisor status.

In short: Strengthening SOX offers a proven path to securing Internal Audit’s seat at the leadership table.

So, instead of minimizing SOX, use it as a lever to: 

• Prove your ability to lead, deliver value, and help the business improve its processes and strengthen risk management.
• Show your readiness to take the lead on connected risk. On that note…

3. Lead a Connected Risk Project

If you haven’t done a connected risk project yet, 2026 is the year to make it happen.

Propose an advisory project that positions Internal Audit not as the recommender, but as the doer. For example, collaborate with other risk and assurance teams to: 

• Create a common risk taxonomy for the entire organization to use. 
• Consolidate issue management/remediation so it’s overseen by a single team. 
• Combine/share data in a single source of truth.
• Develop a master RACM to unify oversight.
• Agree on control standards (e.g., documentation, support, performance). 
• Create assurance maps that increase coverage while reducing duplication. 
• Co-present reporting in key areas. 

Connected risk is gaining traction. Internal Audit can play a pivotal role in getting everyone onboard.

WHY THIS WORKS: It All Comes Back to Connected Risk

I believe that connected risk is the future of Internal Audit.

As the Internal Audit Collective’s benchmarking data reinforces, having a high-maturity SOX program leads to having a higher-impact Internal Audit team with more executive buy-in — offering a ready-made path for taking on more connected risk work. 

This audit-planning checklist is an extension of this hypothesis. These five actionable ideas are accelerants, designed to help you follow this path sooner. 

Why wait to start knocking the ball out of the park? Plan to increase impact in 2026. 

‍