Technology, business transformation, and digitization are internal audit’s primary concerns according to consulting firm Jefferson Wells’ 2025 Internal Audit Priorities Annual Survey.  The top concerns of audit committees are similar, with Generative Artificial Intelligence (GenAI) now second only to data privacy and cybersecurity. Jefferson Wells’ study involved 257 audit leaders from U.S. for-profit companies across different industries and regions. 

For internal audit leaders, the leading emerging risks reported by survey participants were:

• Cybersecurity (41 percent)

• GenAI (35 percent)

• Business transformation/digitization (27 percent)

• Economic uncertainty (26 percent)

The top three internal audit emerging risks were the same last year, while economic uncertainty was unranked in 2024.  Jefferson Wells notes that strategic risk has fallen in importance over the past two years “as technological advancements have shifted auditors’ attention away from strategy.”

For audit committees, the top emerging risks were:

• Data privacy & cybersecurity (52 percent)

• GenAI (39 percent)

• Strategic risk (29 percent)

• Business transformation/digitization (22 percent)

While cybersecurity was also the number one audit committee concern in 2024, GenAI rose 13 percentage points in 2025 to second place, surpassing strategic risk.

In terms of activities, the top five initiatives in which internal audit was involved were fraud investigations (57 percent), enterprise risk management (57 percent), new technologies or applications (49 percent), process improvement (49 percent), and system implementations (48 percent).  Internal audit departments with more than 100 staff members were also likely to be involved in corporate strategy work.  Third-party risk fell in priority to sixth place (43 percent).  However, Jefferson Wells notes that 54 percent of respondents said internal audit is still conducting periodic audits of third-party vendor management programs, although only 24 percent reported that their internal audit departments “are evaluating Nth party risks and, surprisingly, 23% of audit shops are conducting actual on-site vendor audits for their organization.”  (“Nth party risk” refers to risk that arises, not just from direct vendors (i.e., third parties), but from the vendors and subcontractors on which direct vendors rely.)

The Jefferson Wells report includes sections that detail survey findings on cybersecurity and technology risk, GenAI, and talent.  Talent is a particular concern for internal audit leaders.  Thirty-seven percent plan to increase their staff size in 2025, and 59 percent report that hiring employees with the right technical skills is one of their biggest challenges.