00:00:02 The IIA
The Institute of Internal Auditors presents All Things Internal Audit. In this episode, Deborah Puillian and Ryan Tremblay unpack the top three risks from the 2026 North American Risk in Focus Report, geopolitical uncertainty, digital disruption, and cybersecurity.
00:00:20 The IIA
They discuss why these risks are rising, how internal audit can approach hard to audit areas, and how to use risk and focus to drive stronger conversations with leadership.
00:00:32 Deborah Poulalion
Brian, it is great to be with you today to talk about the project that we've been working on together for many months. So tell me about your involvement as a part of the research committee for the Internal Audit Foundation.
00:00:47 Brian Tremblay
Yeah, Deborah,
00:00:49 Brian Tremblay
When you reached out to me to participate in this, I quite frankly was ecstatic too, because this is one of the projects that I was involved in contributing to or contributing on as part of CREA, the Committee of Research and Education Advisors that I've sat on for many, many years. This team of dedicated professionals volunteers their time to help solicit
00:01:16 Brian Tremblay
ideas for research, review research, and ultimately contribute even after the research is out to providing context to that research. So when you invited me, I just, I had to say yes and I had to say yes fast so you didn't go somewhere else.
00:01:32 Deborah Poulalion
I am so glad you're talking with me today. The Internal Audit Foundation is proud to be producing Risk and Focus again this year for the third year in a row globally, and we appreciate your input and the committee members in North America and around the world. So let's get started on a great conversation. As we get started, if you happen to be at a place where you can go ahead and download it now, you can follow along with our graphs and charts
00:02:01 Deborah Poulalion
the board briefing. So you would go to the iia.org risk in focus, click on the beautiful button for North America, and just go ahead and download the report and then the board briefing as well. And just a little plug for the board briefing. So this is actually set up like a PowerPoint presentation so that you can use it with your audit committee or your team or anybody else that you want to have a good conversation with about risk.
00:02:29 Deborah Poulalion
So my job today is the data, and Brian's job is to tell us how this applies to internal auditors. So let's get started with the topic of the year, geopolitical and macroeconomic uncertainty. So one of the key results in North America was that there was a significant increase in this risk level compared to the prior year. If you're following along in the board briefing, this is on slide 8.
00:02:58 Deborah Poulalion
So the increase was 19 percentage points over the prior year. And to put that in perspective, no other region had a jump in risk that big. 45% of respondents in North America said that geopolitical uncertainty was a top five risk for them back in May. So the other part of this,
00:03:21 Deborah Poulalion
to consider is that while CAE said it was one of the highest risks, they rarely said it was one of the five areas where they spend the most time and effort. So that could be completely appropriate because you may not be able to spend all your time and effort in this area, but we want to talk about how you do address this risk. So Brian, what is your perspective?
00:03:45 Brian Tremblay
So something like this can many times feel
00:03:49 Brian Tremblay
very out there, difficult to audit, along the lines of something like, how do you audit corporate culture? But I think there's two things that jump to mind for me as it relates to how internal audit can integrate this into the work that they do. So one would be is thinking about how the organization itself would respond if there was something that derived from this uncertainty. So if we think about resilience of the business,
00:04:18 Brian Tremblay
Do we have liquidity in the event of a government shutdown where maybe we're not getting paid for a period of time? How would it impact our supply chain and how would it impact our competitors? So thinking about on every audit you do, if maybe these things are in place or there's an opportunity to layer in the impacts of geopolitical risk and uncertainty into the reviews that you're doing.
00:04:44 Brian Tremblay
The second place that I would think about would be enterprise risk management. So this is all about risk, and some of our companies have risk management functions formally, so liaising with them very closely to understand what they're doing around this. Or if we don't have the luxury of a risk management function in our company, how can we, as internal audit, help to educate management on what we think might be valuable to do with this topic?
00:05:14 Deborah Poulalion
And I just wanted to add another piece of information from the survey results. There is a report that combines the results worldwide. If you went to our website and downloaded North America, you might want to go back and go ahead and download the global summary too. There's a report and a board briefing. Survey respondents were different from in different regions for the amount of risk for geopolitical uncertainty. So Europe, Latin America, and North America
00:05:44 Deborah Poulalion
were almost exactly the same. 45% said that was a top five risk for them. But we saw much lower in Africa and Middle East in May. So they were under 30% saying it was a top five risk. Asia-Pacific was a little higher. And so my takeaway as a person who does a lot of surveys for the IIA is that things change.
00:06:08 Deborah Poulalion
right? I know what people said in May, but at this point, this is a rapidly changing area and that anticipation and response is probably key. What do you think of that, Brian?
00:06:19 Brian Tremblay
I do think that there is an opportunity here for internal audit to just help their organizations prepare for uncertainty. Like we were talking about before, just thinking about what they have in place to
00:06:37 Brian Tremblay
help to mitigate any risk that maybe is unknown at the moment that could really disrupt the business. So that same would apply for really any of these very big general, almost unauditable risks. It's just thinking about if they were to happen, how would my organization address it? And if we don't think there's a sufficient response,
00:07:01 Brian Tremblay
in our view as the internal audit team and department, then our job is to raise that to the leadership team and the board if necessary.
00:07:11 Deborah Poulalion
Very good points. So going to digital disruption, if you're in your board briefing, you can look at slide 8 again. So risk has been steadily rising for this area. In the survey, it's described as digital disruption, including AI. So
00:07:30 Deborah Poulalion
It's up 5 percentage points, which means a little more than half of CAEs said it was one of the five highest risks for their organizations. So looking at slide 13, if you're following along, audit priority is also increasing, and that is at a bit faster rate than the risk, 11 percentage points up to 44% of people saying it's the area, one of the five areas where they spend the most
00:07:59 Deborah Poulalion
time and effort. So Brian, what are the best approaches for internal audit to address the risks of new technology in general, including AI?
00:08:10 Brian Tremblay
I think one of the grounding things for me around technology in general is that as fascinating and impactful as topics like AI are, at the end of the day,
00:08:27 Brian Tremblay
Technology is built on lines of code. And if you think back to some of the very simple things that we have had for a long time around technology audits, a lot of them really come back to the basics of access to that technology, access to the interior of that technology, the changes that are made to that technology,
00:08:53 Brian Tremblay
Understanding all of those doesn't change no matter what the technology is and what the technology does. What does change maybe a bit more would be really taking the time to understanding how that technology works. And I can say that coming from a place, having spent some time at a cybersecurity software company, where I was able to sit down with the folks that were building technology,
00:09:23 Brian Tremblay
packaging that technology, ultimately selling that technology. What it may require us to do is just really get a much deeper understanding of those technologies that are out there in the market and that our companies are using. I think that's what's become a lot more paramount in my eyes as it relates to digital disruption and artificial intelligence.
00:09:47 Brian Tremblay
Now, I want to just jump back to what we were talking about around the geopolitical uncertainty, not to talk about geopolitical uncertainty, but I do feel like there is a lot of uncertainty in the profession around the volume and the velocity of these technologies. Again, as internal auditors,
00:10:06 Brian Tremblay
I think part of our job needs to be to flag that our organizations need to be vigilant in understanding the risks and the opportunities that come with these technologies, and that we shouldn't be just licensing software because it's new and novel and it's going to make a difference. A lot of companies fall flat in their technology usage
00:10:27 Brian Tremblay
because they don't really take the time to understand it. So I would make sure that is something that we are doing in our job. That's not to say that there's not a ton of opportunities and use cases in our organizations for technologies, especially artificial intelligence. We just can't get away from that topic these days. And really, there's the organization's usage of these technologies, and then there's internal audits usage, because what's happening more and more is
00:10:54 Brian Tremblay
A lot of purpose-built technologies for the business or for the consumer have made their way into internal audits usage as well. So I think it's helping not only the business understand the risks and opportunities that come with technology, but also really thinking about the risks and the opportunities that come with internal audit using those technologies as well. I think about one example that the standards cover, which is
00:11:22 Brian Tremblay
In a very simple, basic blocking and tackling audit management system, we store payroll data, board minutes, a lot of information. And have we really thought about what that means for our department? And if you think about the data and information that are being stored in large language models and other databases and systems and tools that we're using, we just need to think about that. Which brings me to, I think, one of my more critical attributes. I know we'll be talking about it
00:11:49 Brian Tremblay
shortly, which is if it's technology, it's subject to technology risk and the buzzword that we created years ago called cybersecurity. Given that it's just lines of code, code is not designed perfectly and it creates risks not only to our internal stakeholders and ourselves, but also our customers to the extent that they use our software.
00:12:13 Deborah Poulalion
Thank you. That's a very good point. And also reminds me that in the Risk and Focus reports, we have a lot of discussion about from our roundtables conducted for this research about how organizations are encountering new risks from AI and trying to use AI for organizational opportunities and using AI for internal audit. So start the conversation with this podcast.
00:12:43 Deborah Poulalion
and download the report to hear from more internal auditors. So we've hinted at coming back to the issue that has been at the top of the risk levels for several years running, and that is cybersecurity. In North America, it is the highest rated risk by far. And just
00:13:07 Deborah Poulalion
Hinting again, globally, that's not always the case. And I also want to mention that different industries, it can be different levels. Manufacturing does not usually rate cyber risk as high as financial services, for example. Having said that, in North America, 86% of CAEs said cybersecurity was one of the top five risks at their organizations. That's consensus, folks. 78% said it's one of the five areas where they spend the most
00:13:36 Deborah Poulalion
time and effort. Putting that in perspective, we talked about digital disruption increasing, but it's still only 50% say it's one of the five highest risks at their organization. So while we may spend a lot of time talking about AI, cybersecurity is always lurking in the background. So I wanted to get your perspective, Brian, on how AI
00:14:02 Deborah Poulalion
and new technology in general is impacting cybersecurity and what internal audit needs to do to stay vigilant and have the skills to address this issue.
00:14:14 Brian Tremblay
One of the things that's always surprised me is that for a couple of years now, like you indicated, it's been top risk or close to it in and outside of the IIA's surveys.
00:14:29 Brian Tremblay
you pretty much ask any leader what one of their top risks are and cybersecurity is there. But it feels like it's taken a little bit of a backseat to artificial intelligence and some of the other areas. And at the end of the day, like I alluded to, all of these technologies bring technology risk, also known as cybersecurity, with them. So when we're thinking about, or when I'm thinking about
00:14:58 Brian Tremblay
how we handle this and what the impacts are, I think about a couple of things. AI and other disruptive technologies strengthen both sides of the cybersecurity coin. They give us better defenses. They also give our threat actors better attack vectors. There was something recently in the news that the first AI native cyber attack happened recently. That's not some
00:15:27 Brian Tremblay
coder coding something and then auto-breaching a system through a known vulnerability, it's something generated by artificial intelligence that on its own figured out a way to go through and penetrate into a vulnerable system. I mention that because in both cases, whether it's hands-on keyboard or not, the way they got through was a vulnerability.
00:15:54 Brian Tremblay
which is very simply a software bug, which in most cases is easily patched or remediated if known. So putting those zero days on the side, I would say there's a couple of things, probably not surprising based on some of my other comments, that are really imperative here. It's making sure that your basic blocking and tackling software controls, IT general controls are in place, including patch and vulnerability management.
00:16:23 Brian Tremblay
It's accepting that there's no perfect solution to cyber risk and ensuring that both within your organizations and within the third parties, maybe even fourth parties or beyond, that your organization directly or indirectly works with, that they have the right, as well as we have the right, processes and controls to respond to an incident. If you look at so much of what's out there
00:16:50 Brian Tremblay
today as it relates to outages, incidents, they're generally tied to organizations that we rely on, not the organizations that we work at. Maybe one other last thought around this topic is I was really surprised that I think it was 75 or almost 80% of folks, they spent a lot of time on this topic. And I'm a bit skeptical that that's
00:17:18 Brian Tremblay
what's happening out in the wild based on the CAEs that I talk to. Maybe beyond doing a cybersecurity readiness assessment through a standard like NIST or maybe some other governance framework, I really do feel like we can spend a lot more time, like I suggested, around the technology section we just spoke about. This is another area where I think
00:17:43 Brian Tremblay
We need to go a little bit deeper than an assessment. We need to understand technology and technology risk. We need to understand the mechanics of how our IT teams and our third parties actually think about, identify, monitor, and mitigate this risk.
00:18:03 Deborah Poulalion
Brian, I just want to say thank you for sharing your knowledge and experience on these three topics.
00:18:10 Deborah Poulalion
that were raised from Risk and Focus North America. And one thing that really stood out to me is you talked about going deeper and getting a better understanding of the technical side of these technology areas that internal audit needs to review. Do you want to make any final comments for people to remember?
00:18:32 Brian Tremblay
Really the theme is to do any of these topics justice, you have to spend more time with them than maybe you're thinking you need to spend with them. This isn't a standard, maybe more blocking and tackling type engagement that you may go execute or a topic that every company deals with in a similar manner.
00:18:56 Brian Tremblay
These are topics that really deserve a bit of a deeper dive or some expertise, either on your teams or leveraging folks in your organization or third parties or whoever you get specific information on these topics from in your organization. But it's really, I don't think skimming the surface is going to cut it in general, but specifically in these topics, you just have to commit to digging deeper and really understanding it more than maybe historically the profession has.
00:19:26 Deborah Poulalion
to go along with that, it sounds to me like with that knowledge, thinking very strategically about the impacts on the organization as a whole, which you talked about earlier.
00:19:41 Brian Tremblay
Yeah, definitely.
00:19:42 Deborah Poulalion
I want to encourage everyone again to go to the iia.org backslash risk in focus. Pick your favorite reports. Use them to start a conversation with your stakeholders. Keep following the Internal Audit Foundation for more good quality research about our profession. Brian, it has been a pleasure talking with you today.
00:20:07 Brian Tremblay
I really enjoyed doing this and I appreciate you having me.
00:20:12 The IIA
Fraud is getting trickier, but you can stay ahead.
00:20:15 The IIA
Join us online for the 2026 Fraud Unmasked virtual conference on February 17.
00:20:22 The IIA
It's one packed day of practical tips, expert insights, and 13 plus CPEs.
00:20:27 The IIA
So save your spot today and register at the iia.org.
00:20:32 The IIA
If you like this podcast, please subscribe and rate us.
00:20:35 The IIA
You can subscribe wherever you get your podcasts.
00:20:38 The IIA
You can also catch other episodes on YouTube or at the iia.org.
00:20:42 The IIA
That's T-H-E-I-I-A.org.
