Skip to main content
Contact
Submit RFP

      Annual risk-oriented audit planning is both mandatory and optional. In a changing world characterised by globalisation, climate change, geopolitical risks and advancing digitalisation, the primary task of internal auditing is to anticipate new risks and consistently align its own approaches and methods accordingly. The VUCA risks (volatility, uncertainty, complexity and ambiguity) lead to a challenging dynamic for the risk orientation of internal auditing, which is expressed in particular in risk-oriented audit planning.

      Risk-oriented audit planning should be determined on the basis of the organisation's risk profile ("organisational risk profile", GIAS Standard 9.1). Audit planning is based, among other things, on data from past audits, risk management, compliance, accounting and business processes. Individual factors and EHS information (environment, health, safety) are also included in the planning. In addition, compliance with the topical requirements[1] in the relevant audit areas must be taken into account. Around 40 per cent of the participants in a survey[2] that we conducted stated that the topical requirements have already been largely or fully taken into account in the current audit planning.

      In our view, the following KPMG Internal Audit Hot Topics represent a selection of current topics, trends and drivers

      They can be divided into four areas of consideration:

      • Compliance
        • EU AI Act - Risk-based classification, requirements for high-risk AI systems, rules for AI models for general purposes
        • NIS2 - Extended scope, definition of risk and crisis management components, extended incident reporting requirements
        • Cyber Resilience Act - Digital products must comply with the CRA and integrate security measures through design, vulnerability management and incident reporting
        • Whistleblower Protection Act - reporting channels, case management, protective measures for whistleblowers
        • FISG and GCGC A.5 Compliance - Basis and validation process for the statement on the appropriateness and effectiveness of corporate governance systems in the management report
        • Sanctions and embargoes - Compliance requirements for companies, strategies and procedures for managing the associated risks, monitoring/handling of false positive screening alerts
        • Risk management - process-independent monitoring of the risk early warning system
      • Operational
        • Resilience and business continuity - analysing the impact on the business and the business continuity strategy
        • Macroeconomic and geopolitical uncertainties - supply chain disruption, financial resilience, inflation and liquidity, embargoes and sanctions
        • Customs strategy - complexity, disruption and rapid change due to new or changing customs announcements (e.g. impact, risk management, scenarios and strategy)
        • Dealing with external risks - identification, assessment, management and monitoring of external risks, reprioritisation of the audit plan
        • Stakeholder relationships - business partner due diligence and know your customer
        • Financial transformation - new ERP, automation, digitalisation
        • HR transformation - diversity, talent management, employee retention
      • IT systems and data governance
        • Industrial control system - Efficient and safe operation of machines and systems as well as IT security in the areas of factory automation and process control
        • Cybersecurity and data protection - maturity level of cybersecurity, appropriate measures to prevent data loss incidents
        • AI governance (GenAI) - requirements for the deployment and use of GenAI tools, AI risk & compliance assessment, AI security and data protection strategy, AI assurance and monitoring of AI risks
        • DAC 7 - Compliance with e-invoicing and tax obligations
        • Hybrid working - data protection and security requirements
        • ESG reporting - integration of ESG reporting tools into the existing IT structure
      • ESG
        • ESG regulation and transformation - monitoring regulatory changes and adapting established processes
        • ESG governance - target operating model, assessing and monitoring the achievement of corporate social responsibility targets
        • ESG risk management - integration of ESG risks into the company-wide risk management system, taking into account physical risks and transition risks in relation to climate change and other environmental, social and governance risks
        • ESG data governance - collecting, processing and validating non-financial data generated by various units, implementing internal controls (COSO framework)
        • EU CSDDD - Readiness and compliance with legal requirements relating to human rights and environmental protection
        • CSRD and/or voluntary reporting (VSME) - Proper ESG reporting
        • EU Deforestation Regulation - Supply chain and due diligence (due diligence)
        • EU Green Deal Compliance - resource efficiency, green technologies, transparency of reporting
        • Perfluoroalkyl and Polyfluoroalkyl Substances (PFAS) - Readiness for future requirements
        • Carbon Border Adjustment Mechanism (CBAM) - fulfilment of requirements in connection with CO2 border adjustment levy
        • Energy Transition - Energy strategy, change programmes, monitoring
      Ready to talk? Contact us.

      More KPMG insights for you

      The new Global Internal Audit Standards

      The standards are a further development of internal auditing practice and have an impact on the interaction and working methods of internal auditing.
      Learn more
      Two colleagues look at a tablet

      Your contact

      Mark Frederik Schmidt
      Mark Frederik Schmidt

      Senior Manager, Audit - Regulatory Advisory, Sustainability Reporting & Governance

      KPMG AG Wirtschaftsprüfungsgesellschaft

      [1] Topical requirements are specific standards designed to improve the quality and consistency of internal auditing. For specific topics, the requirements must be complied with when carrying out the audit assignments.

      [2] KPMG GIAS Survey (August 2024)