Internal audit: Key focus areas for 2025 - KPMG Australia (2024)

The landscape of global economics is currently marked by a high degree of volatility driven by regional conflicts and the wars in Ukraine and Gaza, plus fragmented trade agreements. These tensions are escalating commodity costs, including for oil and gas, prompting a global cost of living crisis. To combat rising inflation, central banks, such as Australia's, are raising interest rates to their highest levels in recent times. Despite initial inflation stabilisation, geopolitical instability is expected to persist as a major uncertainty factor.

Internal Audit must adapt, utilising advanced techniques like Dynamic Risk Assessment and scenario planning for a thorough analysis of interconnected risks and their potential impacts. These approaches help auditors grasp the full scope of geopolitical risks and guide organisations through economic uncertainty.

ESG has emerged as a key element for long-term business sustainability, with a growing emphasis on mandatory ESG reporting requirements globally. The Australian Accounting Standards Board's new draught Australian Sustainability Reporting Standard signals mandatory climate reporting by FY25 for major Australian firms, aiming to increase the transparency for investors. Businesses must transform their practises to meet these reporting standards, not just for compliance, but to integrate ESG with strategic goals for added value and resilience.

Internal Audit’s role is key in steering organisations through these changes, evaluating new reporting standard readiness, consulting on ESG governance, and ensuring ESG risks are managed in line with business objectives.

Recent global events including the COVID-19 pandemic and geopolitical conflicts have underscored the importance of resilient supply chains. A shift from cost-centric to resilience-focused strategies is necessary, with an emphasis on diversifying suppliers to reduce dependency on single sources. Current supply chain approaches prioritise adaptability and risk preparedness, considering regulatory shifts and stakeholder demands for ethical and ESG-compliant third-party practises.

Internal Audit has a key role in evaluating supply chain maturity and resilience, offering guidance on operational models, and ensuring preparedness for existing and potential economic and geopolitical disruptions.

In the wake of macroeconomic volatility, with rising inflation and interest rates reminiscent of the early 2000s, organisations are facing significant financial stress. The outlook for 2024 and beyond suggests an era of continued market fluctuation, rather than a quick return to economic stability. This environment is challenging the fiscal and strategic resilience of companies, with direct implications for profitability and liquidity management.

Internal Audit should examine management's methods for identifying and mitigating risks tied to inflation and interest rate fluctuations, including the execution of scenario analysis to navigate potential future market conditions.

Organisations must enhance operational resilience due to continual changes in the economic, geopolitical, and environmental spheres. This involves updating systems to handle disruptions while adhering to Australia's regulatory requirements like the Security of Critical Infrastructure Act 2018. Resilience efforts centre on investments in personnel, processes, and technology, reinforced by comprehensive crisis and continuity management.

Internal Audits are critical for assessing the efficacy of these initiatives, ensuring appropriate risk identification, response planning, ongoing risk reassessment, and analysing the cost-benefit ratios of mitigation strategies.

Effective talent management involves attracting, retaining, and nurturing skilled employees, focusing on enriching their work experience and well-being. Embracing flexible and remote work environments, alongside a strong Employee Value Proposition (EVP), is vital for staff contentment and aligning with corporate goals. Legislative changes underline the importance of addressing psychosocial hazards and integrating resilient workforce practises. With AI transforming roles and skills, organisations must adapt strategically.

Internal Audit should evaluate organisation's strategies for workforce planning, future skill requirements, talent acquisition, and retention, their impact on internal controls, and management's employee-centric improvements.

Cybersecurity continues to be a critical concern for organisations into 2025, driven by the escalating complexity of cyber threats and the proliferation of digital interfaces, new tech platforms, and ever-growing volume of sensitive data constantly moving across interconnected and integrated networks. The increased frequency of cyberattacks impacts a wide spectrum of industries, necessitating a fortified approach to cyber defence and data protection. Organisations are adopting stronger IT security measures and fostering a culture of cybersecurity awareness among employees.

Internal Audit plays a key role in evaluating cybersecurity risk controls, ensuring vigilant monitoring, and complying with relevant standards and regulations. Through targeted reviews and technical assessments, including vulnerability assessments and penetration tests, Internal Audit can help to identify potential external security weaknesses to fortify against cyber threats.

Heightened sensitivity to data privacy rights among customers, employees, and regulators has underscored the necessity for organisations to secure personal information diligently. Stringent compliance with regulations such as the Australian Privacy Act and state-specific privacy laws is imperative to avoid reputational harm, regulatory repercussions, and financial penalties. Organisations must enforce precise management and governance of their data-centric practises.

Internal Audit plays a crucial role by evaluating data controls to ascertain and secure data collection, storage, transfer, retention, and disposal processes. The scrutiny extends to the effectiveness of data breach response strategies, coordination with third parties, and oversight of any third-party data access to ensure robust protection and compliance.

Businesses increasingly harness AI technology as a driving force for innovation, utilising generative AI and sophisticated data processing to achieve enhanced business outcomes. Nevertheless, it is essential for organisations to be aware of the accompanying risks and to proactively address them, particularly by focusing on the ethical deployment of these emerging technologies within the organisation.

Internal Audit should critically assess digital strategies and technology implementations, including cloud, DevSecOps, zero trust, and distributed ledgers. Internal Audit should also review AI utilisation which involves addressing risks around data integrity and security, with frameworks like KPMG’s Trusted AI guiding ethical management audits.