Would they talk about cybersecurity, fraud, ERM, general control reviews, and procurement/vendor management? After all, those were the top five 2026 audit areas according to the Internal Audit Collective’s audit plan benchmarking survey. 

I’ll say it: In most organizations, they won’t.

CEOs and boards are more likely to focus on things like talent management, product development, innovation, keeping clients happy, keeping market share, topline growth, and controlling costs. 

So why does so much of our industry’s thought leadership focus on how Internal Audit teams can help their organizations address the first set of risks and priorities — and not the second? 

This incongruence is worth highlighting, and worth fixing. 

To stay relevant and provide value, we need to invest more of our time on the risks and priorities our CEOs and boards really care about. So how and where can we do things differently? 

My Goal: Starting a Productive Conversation About Key Opportunities

Before going further, I want to be clear.

I’m not suggesting that the risks and priorities Internal Audit sees as important aren’t critical. They obviously are. 

Every modern organization has to prioritize things like cybersecurity, third-party risk management, ERM, strong internal controls, and compliance.

But most CEOs and boards spend their time focusing on — and prioritizing — other things.

They care about growing their company, revenues, and customer base. They care about go-to-market (GTM) strategies and activities, innovation, filling their teams with top talent, and making sure those teams have the skills to stay ahead of the curve. They want to know they can compete and win.

So I’m not here to chasten anyone, or devalue the important work they’re doing. 

My purpose is to highlight key opportunities we have to better support actual CEO and board priorities. 

That’s why I want to get more Internal Auditors talking about:

• What we’re hearing about CEO and board priorities for our organizations.
• Ideas and leading practices for audit projects that help support these priorities. 

With those goals in mind, let’s take a macro perspective on how CEO and board’s views on risks and priorities tend to differ from the risk rankings we see in much of our industry’s thought leadership. 

CEO and Board Perspectives on Top Near-Term Risks 

Annually, Protiviti’s Executive Perspectives on Top Risks report does its best to shed light on what’s top of mind for board members and C-Suite executives (i.e., CEO, CFO, COO, CIO/CTO, CISO, CHRO, CRO, CAE). 

Protiviti’s survey also breaks down how risk rankings differ according to executive position. So — while no survey can capture every risk and priority for every organization — we’ll use their survey to help us understand how views tend to differ. 

See Protiviti’s full 2026 report for the full risk list and other nuances. But here’s how things shake out when we zoom in on rankings for CEOs, board members, CAEs, and across all respondents. Notably:

• While “cyber threats” is indeed the top near-term risk across all respondents, CAEs, and board members, the risk doesn’t even make CEOs’ top five. 
  
  • Instead, talent management, labor, and economic pressures were top of mind for CEOs.
• Board members and CEOs agreed on four of the top five risks, with some variation in ranking. 
• Third-party risks and regulatory change weren’t top-five priorities for either CEOs or boards.
• CAEs’ top-five risks overlapped with CEOs and boards on only two of their top-five risks:
  
  • CEOs: (1) skills/talent acquisition/retention and (2) economic conditions.
  • Boards: (1) skills/talent acquisition/retention and (2) cyber threats. 

Perspectives on Top Strategic Investment Priorities 

Protiviti also asked respondents to identify their top three strategic investment priorities (in which their organizations are likely to invest) over the next two to three years. 

Of the 12 total investment areas provided as answer options, below were the top choices. Percentages show how many of each respondent category chose the priority. 

(Answer options not shown: regulatory compliance infrastructure; advanced data analytics; third-party management; supply chain management; sustainability initiatives; crisis management. Again, please see Protiviti’s report for additional background. )

Comparison with 2026 Audit Plan Benchmarking Survey Results

So, how do the 2026 audit plans represented in the Internal Audit Collective’s benchmarking survey stack up against these top investment priorities? 

The items marked red are the audit projects we’re often already doing — the ones we’re expected to do, and used to doing. The items marked green are key opportunities in priority investment areas. 

Percentages indicate how many respondents are planning 2026 audits in each area. 

Why not start a conversation about tackling one or more of these projects in 2026 or 2027? 

• “Business process improvements” (#1 for CEOs/boards, #2 for all) — since this area touches so many different audit types, we’ll just list areas where Internal Audit teams reported ANY projects. (We also listed several related categories where no audits were reported.)
  
  • Innovation: 
    
    • Product development (e.g., R&D spend, innovation governance — 8% 
    • Innovation/R&D - portfolio prioritization, ROI measurement — 4% 
  • GTM: 
    
    • Revenue operations (e.g., contract terms, deal approvals) — 39%
    • Commissions/incentive compensation — 26%
    • Pricing and discounting — 22% 
    • Channel partner / distributor management — 19% 
    • Customer experience — 14% 
    • E-commerce (e.g., platform security, payment reconciliation) — 13% 
    • Sales effectiveness or compliance with sales process — 12%
    • GTM strategy (e.g., alignment w/ strategic goals, sales enablement) — 10%
    • Outbound marketing — 9%
    • Loyalty programs — 8% 
    • Inbound marketing — 5%
    • Brand awareness and usage — 5%
    • Digital marketing (e.g., cookie consent, analytics, ad fraud) — 5%  
• “Human capital management and workforce skilling” (#2 for CEOs/boards, #6 for all):
  
  • Talent acquisition and onboarding — 22% 
  • Compensation and benefits — 21%
  • Contingent workforce — 11% 
  • Workforce planning — 9%
  • Performance and reward — 8%
  • Learning and development — 7%
• “Customer experience” (#3 for CEOs/boards, #5 for all) — as mentioned above, 14%
• “Infrastructure modernization” (#4 for CEOs/boards, #3 for all):
  
  • IT operations (which our survey described as “infrastructure management, uptime, capacity”) — 46%
  • Business continuity — 31% 
  • Disaster recovery — 23%
• “Cybersecurity” (#5 for CEOs, tied for #4 for boards, #1 for all) — 71% 

In other words, we’re doing a good job of auditing things that management would expect us to audit.

But are we really auditing the things that matter most to our companies’ success?

This question can only be answered individually. But it’s a question worth asking. 

Here’s another one: Why is this happening?

What’s Causing This Incongruence? 

After all, we’re supposed to be the risk people — the ones our organizations trust to help them identify and understand their most important risks. So what’s happening here?

I’m eager to hear perspectives from the Internal Audit Collective and beyond.

Kicking things off, here are some potential root causes I can think of:

• Internal Audit is often aligned with the CFO perspective. Especially in North America, many CAEs administratively report to the CFO — not the CEO. The IIA’s 2025 North American Pulse of Internal Audit report found that 79% of public-company CAEs and 72% of private-company CAEs administratively report to the CFO. My colleague Richard Chambers has been highlighting the risks of this alignment for years. But the result is that our audit plan is often influenced by what’s important to the CFO, Controller, or General Counsel — not by what matters to the CEO.
• Industry thought leadership is often driven by vendor priorities and capabilities. It’s only natural for our consultants, technology providers, and other vendors to focus their industry thought leadership on the risks and problems their people and products are equipped to help us solve. But that focus could be skewing our perspective on the risks that matter most. 
• Internal Audit risk assessments don’t formally include ALL enterprise risks. We have limited resources; we can’t audit everything. We have to start with the things Internal Audit “should” audit (e.g., SOX, cybersecurity, contract reviews, fraud). That doesn’t always leave bandwidth for more.  
• We haven’t yet earned trusted-advisor status with our CEOs. CEOs’ top-of-mind risks and priorities tend to be critical to business success. In many organizations, Internal Audit hasn’t built the trusted relationship and/or portfolio of wins to be invited to address such meaty topics. 

What Can We Do About It?

It’s unrealistic for most Internal Audit teams to change their 2026 audit plans to better align with CEOs and boards’ top risks and priorities.

But we can start taking deliberate steps toward it. 

That’s why I want to jumpstart this conversation — to get Internal Auditors sharing questions, ideas, and successes that enable a stronger focus on these risks and priorities central to business success. 

Here’s a hypothesis, based on my own experience as a CAE and my privileged position leading a collective of 800+ high-performing Internal Auditors:

1. Get really good at what you do. It takes time to prove value and earn trusted-advisor status. Start by getting really good at your core responsibilities (e.g., SOX, “typical” audits). Make your nonnegotiable work the pillar of an extremely positive reputation. Our 2025 SOX and Internal Audit benchmarking survey reinforced how leaning into SOX can be key to proactively positioning Internal Audit to earn trusted-advisor status and lead the way on connected risk.
2. Build relationships with first-line executives. Internal Audit usually has relationships with the CFO, Risk, Compliance, IT, Supply Chain, HR, and General Counsel — mostly second-line functions. To understand what’s important to the first line, we need to start building real relationships with them. These are the people hired to make sure your business is effective in providing its product/service and driving top-line revenue. The time you invest increases your knowledge of the business AND the likelihood they’ll say yes to Internal Audit’s offers to help. 
3. Lead with an advisory project — not an audit. Advisory projects let us provide feedback and advice without airing anyone’s dirty laundry. Earn trust and prove competence by providing analysis, insight, foresight, recommendations, and hands-on assistance that helps them solve their problems.
4. Build a reputation that does your marketing for you. If you provide value and make their lives easier/better, C-Suite leaders will tell each other about it. However, once you have a few wins under your belt, make sure the board and C-Suite are aware of them.
5. Make sure risk assessments are informed by your organization’s strategic investments and capital projects. As the old wisdom goes, the greatest risks are where the most resources are deployed. If you don’t have access to this data, get it.
6. Share our challenges and solutions. The Internal Audit Collective is a knowledge-sharing goldmine. Let’s get focused on specific opportunities. To start, I’m organizing a roundtable where members will share their successes with GTM audit projects in March.

THE LAST WORD: Use 2026 to Start Down a Better Path

Again, I’m not suggesting that the risks on our 2026 audit plans aren’t important. 

What I am suggesting is that we may be missing key opportunities to better address the risks and priorities that are top of mind for most CEOs and boards. 

Anyway, as AI, connected risk, and margin pressures continue infiltrating our businesses, we really do need to up our game. 

In a couple years, if you’re only doing SOX testing, will they have any reason to keep you around? 

If/when they consolidate Internal Audit with other GRC teams, who will they choose to lead? 

My bet is on the person or team that’s most strongly focused on first-line risks and priorities.  

Internal Audit is headed into a turbulent storm. Our future is not assured. If you’re still doing things the way you did even a few years ago — not adopting AI or innovating processes, doing the same old audits, focusing solely on protecting versus creating value — it will not end well for you. 

What will you do in 2026 to change the game?