Skip to main content

Deloitte's 2026 Internal Audit Hot Topics: A Brief

·1106 words·6 mins
Author
Shane Blaufuss, CISSP

Deloitte dropped their 2026 Internal Audit Hot Topics report in January. It’s 19 pages covering where they think Internal Audit can deliver the most impact this year. Here’s what’s in it.


Key Takeaways
#

  • Agentic AI is Deloitte’s “mega hot topic” for 2026: autonomous agents can initiate actions outside established approval chains, creating fraud exposure and accountability gaps most audit functions aren’t equipped to assess
  • DORA is now live for EU financial services; the UK Critical Third Parties framework is operational; third-party risk is no longer just an operational concern — it’s a live regulatory compliance issue
  • Most organizations haven’t started cryptographic migration planning; NIST’s 2030 deadline for deprecating current standards is closer than most teams are accounting for
  • “Harvest now, decrypt later” attacks — where adversaries collect encrypted data today to decrypt once quantum capability matures — make quantum readiness time-sensitive right now, not in 2029
  • AI is accelerating every risk vector in both directions; Deloitte’s prescription is for audit to become an early adopter of agentic AI internally while building the governance muscle to audit it in the business

The Big Picture
#

The framing is that Internal Audit is entering its “most transformative era” — the expectation is a shift from lagging assurance to strategic partnership. The backdrop driving that: economic instability, geopolitical tension, AI acceleration, and a pace of regulatory change that shows no sign of slowing.

The report splits into three buckets: one mega hot topic, seven operational priorities, and seven IT/cyber priorities.


Mega Hot Topic: Agentic AI
#

This is the headline theme and it’s getting its own section for good reason. Agentic AI — autonomous systems that plan, execute, and adapt with minimal human oversight — is expected to be embedded across business functions by 2026. Unlike traditional generative AI that responds to prompts, these systems act more like digital employees: connecting across systems, making decisions, initiating tasks.

The risks Deloitte flags:

  • Accountability gaps — when an agent acts independently, it’s often unclear who owns the outcome
  • Decision-making errors at scale — biased or incorrect autonomous decisions can compound fast
  • Control bypass — agents can initiate actions outside established approval chains, creating fraud and financial misstatement exposure
  • Adversarial attacks — prompt injection, model poisoning, and system exploitation are active threat vectors
  • Shadow AI — business units deploying agents without enterprise oversight, creating parallel uncontrolled processes
  • Data privacy — agents can inadvertently access or exfiltrate sensitive data

What IA should be doing:

Deloitte’s recommendation is for audit to govern agentic AI and use it. On the governance side: assess accountability frameworks, audit shadow AI deployment, review human-in-the-loop architecture, and test cybersecurity controls around AI systems. On the adoption side: pilot agentic AI internally for continuous control monitoring, dynamic audit planning, controls rationalization, and quality assurance automation.

The closing line here is direct: “Agentic AI will be both a game changer and a governance challenge.” Boards are going to start asking for assurance over AI governance specifically, and most audit functions aren’t ready to provide it.


Operational Hot Topics
#

#TopicWhat’s Driving It
1M&AAccelerating deal activity and heightened regulatory scrutiny on integrations
2Business & System TransformationAI-era modernization creates value, but controls are routinely deprioritized
3Capital Program AssuranceCompeting funding priorities, greenwashing risk on sustainability disclosures
4Supply Chain & TariffsGeopolitical volatility, tariffs, forced labor regulations reshaping sourcing
5Regulatory Compliance ReadinessAI, sustainability, data privacy rules accelerating across jurisdictions simultaneously
6Resilient BusinessBoards demanding embedded resilience, not just documented response plans
7Third-Party Risk ManagementComplex partner/JV/fourth-party ecosystems + DORA and UK Critical Third Parties requirements

A few of these deserve more than a table row.

Supply Chain & Tariffs is getting elevated attention because the combination of tariff volatility and forced labor legislation (UFLPA in the US, similar frameworks emerging in the EU) means supplier governance is now a legal liability issue, not just an operational one. Audit’s focus areas include supplier onboarding controls, ongoing ethical compliance monitoring, and cybersecurity of digital logistics platforms.

Third-Party Risk Management is being pushed by regulatory pressure as much as operational reality. DORA is now live for EU financial services. The UK Critical Third Parties framework is operational. US banking guidance is tightening. The common thread: regulators want to see that organizations have genuine visibility into their extended ecosystem — subcontractors, fourth parties, JV partners — not just a tier-one vendor list.


IT & Cyber Hot Topics
#

#TopicWhat’s Driving It
1Vulnerability ManagementAI-driven attacker tooling weaponizes exploits at machine speed
2Identity & Access ManagementIdentity is now the primary attack entry point across cloud and hybrid environments
3Quantum ComputingQuantum breakthroughs threaten current encryption standards — migration to quantum-safe crypto is urgent
4OT/IT ConvergenceIoT and industrial automation expose legacy OT infrastructure to modern cyber threats
5Cloud Governance & SecurityHybrid/multi-cloud complexity, misconfiguration risk, data sovereignty requirements
6APIsUnmanaged API sprawl creates blind spots and unmonitored attack surface
7Network SecurityAI-powered attacks outpacing traditional perimeter-based defense models

The quantum computing flag is the most forward-leaning item in the report. Most organizations haven’t started cryptographic migration planning, and the report positions this as already urgent — not a future concern. The specific focus areas are quantum readiness roadmaps, encryption transition governance, and third-party vendor readiness. The “harvest now, decrypt later” attack model (where adversaries collect encrypted data today to decrypt once quantum capability matures) is the underlying threat that makes this time-sensitive even before quantum computers are practical.

OT/IT convergence is worth watching if you’re in manufacturing, energy, utilities, or any sector with physical infrastructure. The convergence of operational technology and enterprise IT — while operationally efficient — means legacy industrial systems are increasingly reachable from the broader network. These systems were never designed with modern cybersecurity in mind, patching cycles are slow, and an outage can have physical safety consequences.


So What
#

The throughline across every category in this report: AI accelerates every risk vector, in both directions. Attackers are using it to move faster; defenders have the same capability available but are slower to adopt it. Deloitte’s prescription for IA is to close that gap by becoming an early adopter of agentic AI internally while simultaneously building the governance muscle to audit it in the business.

The items I’d prioritize reading the full section on if you’re in audit or security leadership: agentic AI governance, TPRM regulatory requirements (especially DORA if you touch EU financial services), and quantum readiness — because that one has a longer lead time than most teams are accounting for.


Source: Deloitte, 2026 Internal Audit Hot Topics (January 2026)