2026年技术与数字风险热点议题：驾驭不确定性：内部审计视角

Navigating uncertainty: An internal audit perspective Executive summary Welcome to the 15th edition of our annual paper on the hot topics in technology and digital risk. The report's release is timely, given the unprecedented challenges facingorganisations. Rapid technological advancements,particularly the ultra-rapid acceleration of artificialintelligence(AI), are creating a volatile digital risk landscape, exacerbatedby increasing system interconnectedness, evolving regulations, and ongoing global uncertainty and geopolitical disruption.Key technological shifts in 2025-26 include the rise of generative and agentic AI (GenAI), the proliferation of Internet-of-Things(IoT), increasingly sophisticated cyberattacks, and vulnerabilities within global supply chains. Successfully navigating this complex landscape requires a dual focus: leveraging technological advancements, such asautomation and AI, to foster competitiveness, reap the business rewards and enhance efficiency, while simultaneouslystrengthening foundational risk management practices. Robust IT governance, resilience, and effective third-party riskmanagement are paramount. Recent high-profile cyber incidents serve as stark reminders of the criticality of thesefoundational elements. This year’s paper advocates once again the crucial role of internal audit in mitigating these risks, protecting the businessandsafeguarding regulatory compliance. It explores how functions can effectively integrate innovation and established principlesto create a comprehensive and future-proof risk management strategy, enabling organisations to confidently seize thebusiness opportunities presented by emerging technologies while mitigating the associated risks. The survey data hopefully provides a valuable benchmark for organisations to assess their own preparedness and identifyareas requiring immediate attention. As always, our report aims to offer practical guidance and recommendations forfunctions, outlining the key actions they can take to address key risks by domain, and ensure compliance with evolvingregulations, such as the Institute of Internal Auditors' (IIA) new cybersecurity topical requirements. Finally, we also tried to look beyond the immediate concerns and open the discussion on emerging technology risks. Byhighlighting these future challenges, we hope to equip internal audit functions-as well as CIO and IT risk functions-with theforesight needed to proactively address emerging threats and ensure the long-term sustainability and success of theirorganisations in an increasingly complex and dynamic technological landscape. We hope this continues to be a valuable resource to inform discussions and enhance your 2026 risk assessment and auditplanning. We welcome ongoing dialogue and collaboration with technology and audit leaders on these critical topics, soplease do not hesitate to contact us if you’d like to discuss any aspect of this report further. Table of contents Click on each section to navigate through the report and use the home button on the right to return to this page. Sector analysis Subtle yet notable differences emerge when comparing financial servicesresponses with other corporates and public sector organisations. Theranking variations reflect differing regulatory landscapes, business models,and technological priorities. Cyber securitydominates the list, claiming the top spot acrossrespondents andsectors. This underscores the concerns around the threatenvironment across the industry, and the criticality of robust cyber securitystrategies as the bedrock of any effective technology control environment. Artificial intelligence (AI)features prominently across top risks, reflectingthe rapid adoption of generative AI technologies in recent months acrossall industry sectors, and the associated challenges in managing the risksand opportunities they present. There was a notable upwards move from4thto 2ndplace this year. Third-party risk and outsourcingshow a difference in prioritisationbetween sectors.Financialservices organisations rank third-party riskshigher than corporates and public sector, highlighting the significantconcern around managing risks associated with external vendors in ahighly regulated environment, whereas the prioritisation ofdigitaltransformation and IT changeby corporates and public sectororganisations, compared to financial services organisations, is reflective ofthe concern of the pace, governance and success of technology-drivenchange initiatives. Industries such as retail and manufacturing face fastinnovation cycles making IT change a core business driver. Technology, cyber and operational resilience, while important to bothsectors, holds the 6th position for corporates and public sector but dropsto 7th infinancialservices. This difference might reflect the varyingapproaches to risk mitigation and the maturity of resilience strategieswithin each sector e.g. financialservices, with a rather more stringentregulatory