Staying on top of potential threats to an organization is a critical part of the work public company board members do to protect stakeholders, drive shareholder value and ensure the company's long-term resilience in an increasingly complex risk environment. It is a responsibility that is vast in focus and ever-changing.
When it comes to assessing and navigating the risk environment, an internal audit is the board's most trusted ally. An integral part of the company's risk management system, the role of the internal audit function is to keep a close pulse on emerging and “under the radar” threats. For boards of public companies, leveraging an internal audit is critical both for operational risk management as well as for fulfilling oversight obligations, such as the Sarbanes-Oxley Act, and other regulations related to internal controls and risk disclosures.
When speaking to an audience of senior internal auditors recently about the risk environment in North America, 70% said they expected the risks their organizations face to significantly increase in the next two years. Not one person predicted a decrease.
While the specific risks will vary from company to company, The Institute of Internal Auditors' North America 2025 Risk in Focus report provides a snapshot of the most pressing risk areas in North America today and those expected to rise in coming years. The research pinpointed cybersecurity and digital disruption as top-rated risks for companies today, highlighting the potential of emerging technology, such as AI, to supercharge cybercrime and other cyber-related risks.
Public company boards also face growing scrutiny from regulators and investors regarding how cyber risks are governed and mitigated internally. The SEC's recently finalized cybersecurity disclosure rules require timely reporting of cyber incidents and enhanced transparency into board-level cyber oversight. In this context, boards and internal audit functions must work in lockstep to proactively manage threats related to cybersecurity and digital disruption and ensure compliance as regulations and disclosure requirements evolve.
While internal audit is responsible for assessing internal controls and governance, boards and senior management must ensure risk management frameworks remain aligned with AI and cyber threats as they evolve. This requires working closely with security teams to monitor threats and implement technical safeguards, such as multifactor authentication, where necessary.
Given the rapid advancement and widespread adoption of AI, boards must also collaborate with internal audit functions to ensure AI is integrated responsibly and securely within organizations. This includes establishing guidelines for responsible AI usage, implementing comprehensive AI training for staff and ensuring employees can identify and respond to potential cyber risks, such as digital fraud or online scams. In these instances, boards and the internal audit function have a responsibility to work together to manage the risks of adopting new technology — understanding they cannot be mitigated entirely — while evaluating the competitive advantages emerging technology can provide.
Beyond cybersecurity and emerging technology, regulatory change remains a critical risk area that deserves board members' attention. In fact, regulatory change was rated as a top five risk area in The IIA's Risk in Focus results for North America and is expected to remain in the top five over the next several years. Given the current Presidential administration, boards of public companies and internal audit functions must be prepared for deregulation and, in the event of regulatory or compliance cutbacks, must understand how greater self-regulation, where needed, can fill risk gaps.
For boards, this may mean implementing more frequent training related to corporate ethics and updating corporate policies related to legal and ethical standards. It also requires ensuring ongoing director education on governance trends and regulatory development as well as actively overseeing disclosures that may impact the company. In terms of risk mitigation, deregulation may also require enhanced risk oversight from boards, including conducting frequent reviews of risk management systems while increasing communication with key stakeholders and investors to promote transparency and address emerging concerns before they escalate.
For internal audit functions, deregulation may present an opportunity to shift from a compliance-focused approach to a risk- and strategy-based approach. This would require deeper collaboration with risk management teams to strengthen internal controls for key risk areas as well as closely monitoring industry best practices to maintain high governance standards for risk areas where there is less regulatory guidance to rely on.
Regarding regulatory changes, shifts in tariff policies can create significant supply chain disruptions, impacting production costs, supplier and customer relations, and ultimately, operational efficiency. Boards and internal audit functions must work together to anticipate, monitor and mitigate threats related to evolving trade policy. This includes evaluating supplier relations and dependencies, identifying high areas of risk and developing contingency plans with alternative sourcing strategies to maintain operational resilience. It also requires ensuring the supply chain risks are appropriately reflected in risk disclosures and are aligned with evolving investor expectations around transparency and operational risk.
The risk landscape is incredibly fluid and requires constant vigilance from internal audit functions, boards and management. It calls on internal audit functions and boards of public companies to work closely and think creatively to ensure organizations can proactively identify and manage emerging risks and meet rising expectations from regulators, investors and other key stakeholders.