Skip to main content

      KPMG’s guide to internal audit

      Internal Audit continues to operate in an increasingly complex and fast‑moving risk environment. Heightened regulatory expectations, geopolitical disruption, climate‑related obligations and rapid advances in technology, particularly artificial intelligence, are reshaping how risks emerge and how assurance is expected to be delivered.

      KPMG’s latest Internal Audit Hot Topics: The Next Risk Horizon highlights the priority risk areas Internal Audit functions should consider when shaping forward‑looking audit plans. These focus areas reflect the need for Internal Audit to move beyond periodic assurance towards more dynamic, insight‑driven and future‑focused coverage.

      Download the report to read more.

      Key focus areas for Internal Audit

      KPMG has identified external pressures, operational challenges and technology as key focus areas for Internal Audit in 2027.

      In an environment characterised by compounding uncertainty and accelerating change, External Pressures continue to represent a critical focus area for Internal Audit. Geopolitical disruption, heightened regulatory scrutiny, climate‑related obligations and global economic volatility are increasingly interconnected, amplifying their combined impact on organisational risk profiles.

      This evolving risk landscape requires risk management frameworks to move beyond static, retrospective assessments toward more forward‑looking, predictive and agile approaches. Internal Audit functions are expected to anticipate emerging risks, assess resilience to external shocks, and adapt assurance activity in step with rapidly changing external conditions.

      Risk factors
      • Renewed US trade protectionism, export controls and sanctions disrupting global supply chains, with greater exposure to tariffs, customs enforcement and rules‑of‑origin requirements.
      • Ongoing policy volatility increasing the need for scenario planning.

      The role of Internal Audit

      • Assess exposure to tariffs, export controls and sanctions across the value chain.
      • Evaluate trade compliance, customs control, supply‑chain resilience and contingency arrangements. 
      • Support scenario analysis of financial and operational impacts.

       

      Risk factors
      • Regulatory focus shifting from compliance to resilience and accountability, with increased board and executive liability.
      • Greater scrutiny of evidence‑based assurance.

      The role of Internal Audit

      • Embed high‑accountability regulatory obligations into audits.
      • Test readiness for major regulatory reforms.
      • Identify gaps before regulatory intervention occurs.
      • Use AI tools to support identification of relevant regulatory obligations, identify controls and assess effectiveness.

      Risk factors
      • Mandatory sustainability reporting under ASRS and alignment to ISSB and global frameworks.
      • Increased scrutiny of climate disclosures, transition plans, Scope 3 emissions, greenwashing and ESG data quality.
      • ESG risks increasingly influencing strategy and capital decisions.

      The role of Internal Audit

      • Assess readiness for mandatory ESG and climate disclosures.
      • Review governance, controls and data quality supporting ESG reporting.
      • Evaluate alignment between ESG risks, strategy and risk management.
      • Provide assurance over ESG governance frameworks.

      Risk factors
      • Growing reliance on third parties for critical operations.
      • Increased regulatory focus on third‑party and concentration risk.
      • Greater complexity in outsourcing and global supply chains.

      The role of Internal Audit

      • Review third‑party risk management governance and frameworks, including due diligence, contracting and ongoing monitoring.
      • Test resilience planning for critical third‑party dependencies.
      • Provide assurance over third‑party controls supporting compliance.

      The technology landscape continues to evolve at pace, driven by rapid innovation, increased connectivity and the widespread adoption of artificial intelligence (AI) across the enterprise. AI and emerging technologies are transforming automation, decision‑making and operating models, while also introducing new risks related to governance, data quality, transparency and control effectiveness.

      At the same time, escalating cyber threats and strengthening data protection and privacy obligations are increasing regulatory and stakeholder expectations. As technology becomes more deeply embedded in critical operations, risk management practices must become increasingly anticipatory, adaptive and integrated, enabling organisations to effectively manage both the opportunities and risks arising from accelerated technological change.

      Risk factors
      • Rapid AI adoption outpacing governance and controls.
      • Increased scrutiny of bias, transparency and explainability.
      • Growing use of autonomous tools and AI agents.

      The role of Internal Audit

      • Inventory and risk‑tier AI use cases.
      • Assess AI governance, ownership and human oversight.
      • Review controls over data, models and third‑party providers.
      • Perform pre‑ and post‑deployment reviews for bias, drift and monitoring.

      Risk factors
      • Increasingly sophisticated cyber threats, including ransomware.
      • Shift from framework alignment to control‑level testing.

      The role of Internal Audit

      • Assess incident detection, response and recovery capabilities.
      • Test ransomware and cyber incident scenarios.
      • Coordinate assurance over IT general controls.

      Risk factors
      • Stronger privacy obligations and enforcement.
      • Heightened impact of data breaches and poor data quality.
      • Greater use of automated decision‑making and analytics.

      The role of Internal Audit

      • Review data governance roles, frameworks and accountability, and controls over data quality, access, retention and security.
      • Test data breach response and notification processes.
      • Evaluate readiness for enhanced privacy requirements.

      Organisations are operating in an increasingly complex operational environment shaped by persistent economic pressures, geopolitical disruption, climate‑related impacts and heightened regulatory expectations. In this context, resilience has become a defining requirement for Australian organisations as they respond to rapid change while maintaining continuity, control effectiveness and service delivery.

      As cost pressures and disruption accelerate, operational functions are being challenged to balance efficiency with resilience. Digital transformation, automation and outsourcing initiatives continue to reshape operating models, increasing both opportunity and risk. Internal Audit is therefore expected to provide assurance that operational change is well governed, risks are understood, and control environments remain fit for purpose.

      Risk factors
      • Continued cost pressures driving restructuring, automation and outsourcing.
      • Risk of control gaps as cost initiatives accelerate.
      • Tension between efficiency and resilience objectives.

      The role of Internal Audit

      • Assess alignment of cost initiatives with risk appetite.
      • Identify control weaknesses arising from restructures or automation.
      • Review governance over major cost‑transformation programs.
      • Provide assurance that savings do not undermine key controls.

      Risk factors
      • Increasing frequency and severity of operational disruptions.
      • Heightened regulatory expectations for resilience and continuity, with stronger focus on critical operations, tolerances and dependencies.

      The role of Internal Audit

      • Test critical operations mapping and tolerance setting.
      • Review business continuity and disaster recovery plans.
      • Assess third‑party dependencies and resilience measures.
      • Perform scenario testing and tabletop exercises.

      Risk factors
      • Criminalisation of wage theft significantly increasing legal and reputational risk.
      • Payday Super requiring real‑time superannuation payments from July 2026.
      • Persistent risks from industrial relations reform, award complexity, record‑keeping and payroll systems.

      The role of Internal Audit

      • Shift from periodic reviews to continuous, risk‑based payroll monitoring.
      • Use analytics to detect pay and entitlement anomalies.
      • Assess payroll system configuration, automation and integration.
      • Review remediation programs for historical underpayments.
      • Assess readiness for Payday Super and future reforms.

      Download: Internal Audit in focus

      Download

      Internal Audit Hot Topics FY27

      A curated view of the risk priorities shaping Internal Audit
      Download

      Download

      Internal Audit: Key thematic areas to consider in 2025

      Areas of focus for internal audit functions for 2025
      Download
      Download

      Internal Audit in focus FY24

      Download
      Download

      Internal Audit in Focus FY23

      KPMG Internal Audit
      Download

      Related services

      KPMG’s data, AI and tech-enabled Internal Audit offering provides organisations and key stakeholders with independent, trusted confidence that risks are effectively managed.
      Internal Audit services

      Our latest Internal Audit insights

      Strategic insights shaping Internal Audit

      Something went wrong

      Oops!! Something went wrong, please try again

      Get in touch