A new report from Gartner indicates that internal auditors will target cybersecurity vulnerabilities, data governance, and regulatory compliance in their 2026 audit plans.
The findings suggest that these focus areas reflect the evolving landscape in which organisations operate, particularly as they face increasing complexities stemming from advancements in artificial intelligence (AI).
According to James Bourke, director of research in the Gartner Assurance Practice, “The rapid rise of AI is driving acute issues for organizations in terms of cybersecurity, data governance, and regulatory compliance.”
He noted that while internal audit teams are likely to incorporate these risk areas into their audits, they express only limited confidence in their ability to adequately assess and assure cybersecurity and data governance risks. Notably, just 48% of Chief Audit Executives (CAEs) reported being highly confident in their capacity to manage these vulnerabilities.
Gartner's report, titled 2026 Audit Plan Hot Spots, is based on a survey of 160 CAEs conducted between May and June 2025. The report outlines four prominent themes emerging in audit plans for the upcoming year: geopolitical volatility, cost reduction pressures, security and resilience in uncertain times, and rapid developments in AI.
Cybersecurity vulnerabilities have emerged as a crucial area of focus, with 96% of survey respondents planning activities to provide assurance over this risk. Bourke highlighted that “cybersecurity is a major risk area, especially as organizations depend more on third-party vendors who can introduce vulnerabilities.”
He elaborated on the challenges faced by cybersecurity teams, remarking that they are often stretched thin in their efforts to respond to sophisticated threats, including those driven by AI technology.
In terms of data governance, 94% of CAEs reported that their audits will include this critical area. Bourke pointed out that organisations are grappling with the complexities of managing AI-generated data alongside regulatory requirements related to data localisation and sovereignty. He emphasized the need for robust governance measures, recommending that organisations’ AI policies be enhanced to address the specific risks associated with AI outputs.
Finally, regulatory compliance remains a vital concern, with 97% of CAEs planning to cover this area in their audit activities for 2026. Bourke commented on the difficulties organisations face due to regulatory uncertainty, stating, "Amid a deregulatory push from the current U.S. administration, organizations must confront significant policy uncertainty, as well as increased pressures on ethical behaviours."
These findings illustrate the pressing need for internal auditors in Southeast Asia and Hong Kong to prepare for a landscape characterised by increasing threats and regulatory complexities as they strive to assure organisational resilience.
