Study Flags Audit Teams, Geopolitical Risk

Here’s a tricky one for corporate risk managers and internal audit teams everywhere: worries about geopolitical risk are surging among organizations around the world, but audit teams still rate geopolitical risk as a low priority — creating an “alignment gap” between risk and risk management in some places is alarmingly large.

So says a report from the Institute of Internal Auditors, which today released its annual Risk in Focus survey. The report polled more than 4,000 internal audit executives around the world to ask them what the top risks are at their organizations as well as what their top audit priorities are. The report is a great resource for audit leaders who want to understand how closely your own enterprise risk assessment matches those of your industry or geographic peers.

The headline is that geopolitical or macro-economic risk — which includes everything from tariffs and trade wars, to actual wars, to divisive political strife within one country — shot up the worry scale around the world, and particularly in North America. Thirty-eight percent of respondents listed geopolitical risk among their top five worries this year, up from only 28 percent who said so in 2024. See Figure 1, below.

 

 

The jump was even more pronounced in North America specifically, jumping from 26 percent last year to 45 percent this year. It’s yet more evidence that President Trump’s erratic and incoherent policies are leaving Corporate America bewildered about, well, pretty much everything.

Despite those worries, however, audit priorities have generally not changed. Cybersecurity is still the top priority worldwide, as it was last year; with governance, reporting, business resilience, and financial liquidity all close behind. Such was the case in 2024, and remains so now. See Figure 2, below.

 

 

So even though geopolitical risk is now the fastest-growing worry among audit teams (cited as a top risk by 38 percent, up from 28 percent last year, it remains a low audit priority for those same teams (cited as a top audit priority  by only 11 percent, up from 8 percent last year). 

Why? The IIA conducted follow-up roundtables with survey participants to dig into that. Some said that in practice, geopolitical risk is more likely to be audited “indirectly” as part of an audit of something else — that the concerns associated with geopolitical risk get rolled into audits for business resilience, regulatory change, or supply chain reliability. 

That’s plausible. Perhaps geopolitical risk is similar to corporate culture, in that you can’t really “audit” culture directly, but you can get a sense of it by looking at other metrics such as employee turnover, unresolved audit findings, and the like. 

In that case, chief audit executives might want to ponder how you could audit geopolitical risk. That is, do you have the right tools and talent to examine, say, supply chain exposure to tariffs; or to monitor declining political stability in major geographic markets. 

How would you define geopolitical risk for your own organization; and then, what metrics would you want to observe to see how that risk is evolving? Those are the questions you’d want to answer so that if geopolitical risk does become a major audit priority, you’ll be in position to act on it.

A Word on Digital Disruption

The other interesting item in the IIA report was “digital disruption,” a risk that includes the threat of artificial intelligence upending your business models or competitive position. Digital disruption was the second-highest risk among all respondents worldwide, cited by 48 percent; but as an audit priority it only ranked eighth, cited by 32 percent. 

So the alignment gap here isn’t as large as what we see for geopolitical risk, but it does exist — and if I were a chief audit executive, I’d worry more about this gap than I would about the one in geopolitical risk.

After all, there is a certain expansive unpredictability about geopolitical risk. Lots of its specific manifestations, such as tariff announcements in Washington or Russia marching into Ukraine, are beyond any company’s ability to control.

 

 

AI and digital disruption aren’t like that; lots of their specific manifestations are within your ability to control, or at least to foresee. You can hire talent who knows how AI works, or build governance models to guide AI adoption at your organization along thoughtful, risk-aware paths. Work like that can deliver tangible benefits to the organization, and remind senior management that a robust internal audit or risk management function adds real value to the enterprise.