Share with your friends

Key Risks for Internal Audit

Key Risks for Internal Audit

16 key risks for internal audit to consider in 2017 and 2018


Related content

Key Risks for Internal Audit

Traditionally, adding value and providing insights on the key risks of an organization has not been a key priority of IA. A modern IA function however should understand the organizations key risks and proactively identify emerging risks in order to add value to the organization.

This publication will help IA to prioritize areas and will further enhance IA’s role as a strategic and value adding business partner within the organization.

This article highlights several key risks that IA should consider in the development of an annual strategic audit plan.

In order to select the key risks that matter to the organization, IA:

  • Is required to have a deep understanding of the business strategy and operations across all levels of the organization.
  • Must adapt their methodologies to increasingly utilize technology in the execution of their audits. This will provide efficiency gains as well as deeper insights into the business, and further develop the value perception and credibility of IA.
  • Should provide assurance, but in addition also deliver insights in the business.

The top 16 key risks to focus on for 2017 and 2018 are the following:

  • Regulatory compliance
  • IT governance
  • Tax compliance
  • Outsourcing
  • Effectiveness and efficiency of operational processes
  • Management of third-party relationships and risks
  • Organization-wide initiatives/projects
  • Cybersecurity
  • Ethics and integrity of the organization
  • Data analytics and mass data usage
  • Integrated ERM and monitoring
  • Effective talent management
  • Mergers, Acquisitions, and Divestitures
  • Trade Environment and Customs
  • Alignment of operations to organization’s strategy and objectives
  • Data protection and privacy

Let’s highlight some of the most emerging risks of this time:

1 Cybersecurity

Important drivers to mitigate cybersecurity risks are:

  • Preventing reputational damage to the organization, especially with regards to lost customer data.
  • Ensuring the security of capital, intellectual property and other privileged information

Internal audit can help with performing a risk assessment of the organizations cybersecurity process with reference to best practice industry standards, and provide process improvement recommendation. Or, with conducting penetration testing of selected IT testing.

Therefore, IA should have a sound understanding of the organization’s cybersecurity concept and design (including the future IT security strategy), and should have knowledge of good practice in cybersecurity and general IT related processes.

2 Ethics and integrity of the organization

Drivers of the ethics and integrity risks for the organization are:

  • Limited effectiveness of existing anti-bribery and corruption compliance activities in eliminating such activities.
  • Emerging regulatory and compliance risk introduced to the organization by various factors such as organic expansion into new markets, dealing with third parties or business acquisitions.

Internal audit can conduct a gap analysis of the organization’s existing anti-bribery and corruption procedures in comparison to leading practices. In addition, Internal audit could enhance return on investment by embedding anti-bribery and corruption procedures into its existing/scheduled audits.
As a consequence, IA needs expertise in for example, performing cross-border bribery and corruption investigations, and should have an understanding of the organization’s governance structure and ethical framework.

3 Management of third-party relationships

Third party relationships expose organizations to new risks and potential compliance failures. Compliance failures may occur due to complexity of the agreement itself or the business environment that the organization operates in. In addition increase in potential data security breaches and operations in areas of political uncertainty are some of the underlying risks.

In order to mitigate these risks, organizations need to implement controls:

  • Increasing oversight
  • Enhancing cost reduction
  • Improving contract governance

IA can help by, for example, reviewing third party selection and due diligence processes or monitoring regulatory development related to third parties.

For more information on the Top 16 risks in 2017 and 2018, read the publication on Key risks for internal Audit.

Return to the Risk + Newsletter January 2018

© 2019 KPMG Advisory, a Belgian civil CVBA/SCRL and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ("KPMG International"), a Swiss entity. All rights reserved.

Connect with us


Want to do business with KPMG?


loading image Request for proposal