Internal audit: Key focus areas for 2025

Key focus areas in internal audit

Internal Audit functions are confronted by a continually evolving risk environment heightened by uncertainty, unpredictability, and volatility. To develop agile, responsive Internal Audit Plans for 2025, Internal Audit leaders need to anticipate potential issues and be prepared to modify their audit strategies.

KPMG has identified key areas and associated risks for Heads of Internal Audit to consider during their 2025 risk assessment and audit planning processes. Our guide: Internal Audit: Key Thematic Areas to Consider in 2025 serves as a blueprint for Internal Audit functions who need to construct responsive and flexible Internal Audit Plans that address immediate concerns and anticipate future challenges.

Download the report to read more.

Internal Audit: Key thematic areas to consider in 2025

Areas of focus for internal audit functions for 2025

Download

Key focus areas for Internal Audit

KPMG has identified external pressures, operational challenges and technology as key focus areas for Internal Audit in 2025.

In the context of the age of 'polycrisis,' as termed by the World Economic Forum, External Pressures represent a significant focus area for Internal Audit to consider in 2025. The essence of a polycrisis lies in its illustration of how multiple global risks are interconnected, with their combined effects being greater than their individual impacts. This phenomenon presents a heightened challenge for organisations as they navigate through intensifying economic, geopolitical, and environmental uncertainties.

This complex risk environment requires risk management frameworks to become more predictive and agile to quickly adapt and effectively confront both known and emerging risks.

The landscape of global economics is currently marked by a high degree of volatility driven by regional conflicts and the wars in Ukraine and Gaza, plus fragmented trade agreements. These tensions are escalating commodity costs, including for oil and gas, prompting a global cost of living crisis. To combat rising inflation, central banks, such as Australia's, are raising interest rates to their highest levels in recent times. Despite initial inflation stabilisation, geopolitical instability is expected to persist as a major uncertainty factor.

Internal Audit must adapt, utilising advanced techniques like Dynamic Risk Assessment and scenario planning for a thorough analysis of interconnected risks and their potential impacts. These approaches help auditors grasp the full scope of geopolitical risks and guide organisations through economic uncertainty.

ESG has emerged as a key element for long-term business sustainability, with a growing emphasis on mandatory ESG reporting requirements globally. The Australian Accounting Standards Board's new draught Australian Sustainability Reporting Standard signals mandatory climate reporting by FY25 for major Australian firms, aiming to increase the transparency for investors. Businesses must transform their practises to meet these reporting standards, not just for compliance, but to integrate ESG with strategic goals for added value and resilience.

Internal Audit’s role is key in steering organisations through these changes, evaluating new reporting standard readiness, consulting on ESG governance, and ensuring ESG risks are managed in line with business objectives.

Recent global events including the COVID-19 pandemic and geopolitical conflicts have underscored the importance of resilient supply chains. A shift from cost-centric to resilience-focused strategies is necessary, with an emphasis on diversifying suppliers to reduce dependency on single sources. Current supply chain approaches prioritise adaptability and risk preparedness, considering regulatory shifts and stakeholder demands for ethical and ESG-compliant third-party practises.

Internal Audit has a key role in evaluating supply chain maturity and resilience, offering guidance on operational models, and ensuring preparedness for existing and potential economic and geopolitical disruptions.

Organisations navigating the operational landscape of 2025 must proactively address emerging risks and opportunities spurred by increasing economic, geopolitical, and environmental uncertainties. The dynamic and competitive Australian economy demands resilience, especially in the face of rapid changes. With the priority shift toward accelerating digital transformation, operational functions are compelled to adopt more progressive and dynamic approaches to overcome these challenges.

This complex risk environment requires risk management frameworks to become more predictive and agile to quickly adapt and effectively confront both known and emerging risks.

In the wake of macroeconomic volatility, with rising inflation and interest rates reminiscent of the early 2000s, organisations are facing significant financial stress. The outlook for 2024 and beyond suggests an era of continued market fluctuation, rather than a quick return to economic stability. This environment is challenging the fiscal and strategic resilience of companies, with direct implications for profitability and liquidity management.

Internal Audit should examine management's methods for identifying and mitigating risks tied to inflation and interest rate fluctuations, including the execution of scenario analysis to navigate potential future market conditions.

Organisations must enhance operational resilience due to continual changes in the economic, geopolitical, and environmental spheres. This involves updating systems to handle disruptions while adhering to Australia's regulatory requirements like the Security of Critical Infrastructure Act 2018. Resilience efforts centre on investments in personnel, processes, and technology, reinforced by comprehensive crisis and continuity management.

Internal Audits are critical for assessing the efficacy of these initiatives, ensuring appropriate risk identification, response planning, ongoing risk reassessment, and analysing the cost-benefit ratios of mitigation strategies.

Effective talent management involves attracting, retaining, and nurturing skilled employees, focusing on enriching their work experience and well-being. Embracing flexible and remote work environments, alongside a strong Employee Value Proposition (EVP), is vital for staff contentment and aligning with corporate goals. Legislative changes underline the importance of addressing psychosocial hazards and integrating resilient workforce practises. With AI transforming roles and skills, organisations must adapt strategically.

Internal Audit should evaluate organisation's strategies for workforce planning, future skill requirements, talent acquisition, and retention, their impact on internal controls, and management's employee-centric improvements.

The technology landscape is defined by rapid innovation and increased connectivity, impacting industries worldwide. Advancements in artificial intelligence (AI) and machine learning are pushing new frontiers in automation, process optimisation, and decision-making. In response to regulatory frameworks like the European Union's General Data Protection Regulation (GDPR), cybersecurity has become a critical priority for technology adopters. As a result, risk management practises in organisations are required to become increasingly anticipatory and adaptable to effectively manage the evolving challenges presented by these technological advancements.

Cybersecurity continues to be a critical concern for organisations into 2025, driven by the escalating complexity of cyber threats and the proliferation of digital interfaces, new tech platforms, and ever-growing volume of sensitive data constantly moving across interconnected and integrated networks. The increased frequency of cyberattacks impacts a wide spectrum of industries, necessitating a fortified approach to cyber defence and data protection. Organisations are adopting stronger IT security measures and fostering a culture of cybersecurity awareness among employees.

Internal Audit plays a key role in evaluating cybersecurity risk controls, ensuring vigilant monitoring, and complying with relevant standards and regulations. Through targeted reviews and technical assessments, including vulnerability assessments and penetration tests, Internal Audit can help to identify potential external security weaknesses to fortify against cyber threats.

Heightened sensitivity to data privacy rights among customers, employees, and regulators has underscored the necessity for organisations to secure personal information diligently. Stringent compliance with regulations such as the Australian Privacy Act and state-specific privacy laws is imperative to avoid reputational harm, regulatory repercussions, and financial penalties. Organisations must enforce precise management and governance of their data-centric practises.

Internal Audit plays a crucial role by evaluating data controls to ascertain and secure data collection, storage, transfer, retention, and disposal processes. The scrutiny extends to the effectiveness of data breach response strategies, coordination with third parties, and oversight of any third-party data access to ensure robust protection and compliance.

Businesses increasingly harness AI technology as a driving force for innovation, utilising generative AI and sophisticated data processing to achieve enhanced business outcomes. Nevertheless, it is essential for organisations to be aware of the accompanying risks and to proactively address them, particularly by focusing on the ethical deployment of these emerging technologies within the organisation.

Internal Audit should critically assess digital strategies and technology implementations, including cloud, DevSecOps, zero trust, and distributed ledgers. Internal Audit should also review AI utilisation which involves addressing risks around data integrity and security, with frameworks like KPMG’s Trusted AI guiding ethical management audits.