Share with your friends

Key risk areas 2021 Internal Audit: Key risks areas 2021

Internal Audit functions around the world are continuing to expand their impact and influence through the delivery of assurance around the most important risks impacting organizations.

Starting with the planning and scoping of the annual Internal Audit plan, the key question posed to every Head of Internal Audit is “are you aware of the risks concerning Internal Audit today and in the near future?” KPMG have identified some key areas of focus related to risks which the Internal Audit function should consider in developing the 2021 Internal Audit plan and the prioritization of audit topics for the year.

Key risks for 2021 

Without a question, 2020 was defined by the global coronavirus pandemic and a series of unprecedented natural disasters and civil unrests, and is setting a scene for a new business “normal” for years to come. These new developments are accompanied by emerging risks that Internal Audit should take into consideration in its annual plan without neglecting key established risks. As a result, we believe the following risk areas will take the center stage in 2021.

Without a question, 2020 was defined by the global coronavirus pandemic...setting a scene for a new business “normal” for years to come.

Business resilience 

Crisis management and planning will have to be updated for the potential for more waves of the coronavirus, not to mention other possible pandemics that follow a similarly rapid
contagion path.

  • Internal Audit can review whether the business has conducted a review to determine how well it is coping with the crisis.  Consider whether the business continuity or crisis response plans are fit for purpose, are followed in practice and whether they require updating. Internal Audit should also seek evidence of the governance around crisis decision-making and the integrity of data and information reported to crisis committees.


Staff wellbeing and talent management 

2020 saw new ways of working and organising personnel, more flexible working arrangements and greater autonomy driven by remote working during the pandemic. All businesses should have some degree of skills mapping and forecasting capability to understand and anticipate the organisation’s human capital requirements. 

  • Internal Audit should look for evidence that the business understands and is forecasting what skills, competences and attitudes are required to secure its market position and long-term strategic relevance. There is scope here for culture audits, or cultural elements of HR audits, to show how the everyday life of the organisation and the behaviour of its staff reflect the adopted values.

Fraud and the exploitation of operational disruption 

Fraud risk, in particular, has changed significantly during the COVID‑19 pandemic. The control framework and monitoring of potential criminal activity may have become weakened due to reduced headcounts and remote working, leaving gaps in fraud detection and creating opportunities for malicious customers and staff. The pandemic also had a significant impact on short-term liquidity risk, which could also lead to a higher fraud risk being the consequence of cost cutting in the control environment and reduced monitoring activities.

  • Internal Audit can gain insights into the business’s fraud risks by identifying the effects of recent operation disruptions. Internal Audit should identify potential fraud risks, during every audit, and evaluate if the established controls that prevent and recognise fraudulent behavior are still in place and operating effectively.

Digitization and Intelligent Automation 

Artificial intelligence, algorithms, cognitive computing and robotic process automation
(RPA) are among the top technologies that will continue to have a significant impact on the
way we conduct business in the future. As digitalisation continues to disrupt operations, business processes and business models, it ultimately brings new risks and challenges in
this digital age.

  • Internal Audit can help to integrate governance, risk management, and controls throughout the automation program lifecycle by assisting organisations through the change management process. Internal Audit plays a significant role in developing appropriate governance and control frameworks and providing input to create a company-wide digital transformation strategy.  

Third-party management: supply chain disruption and vendor solvency

Third-party risk management remains important
as organizations choose to outsource their business functions to third-party vendors emphasizing an existing need for contract management. As the pandemic is disrupting the supply chain and business service set-up of many companies, relationships with third parties are changing. Vendor insolvencies have the potential to cause massive disruption and few companies accounted for the risk of outsourcing to overseas territories such as India and parts of Southeast Asia and what this would mean in the event of a global pandemic lockdown.

  • Internal Audit should take a holistic view towards third-party risk management, beyond contract management to assess whether the company has a clear vision and a robust framework to support it.
  • Internal Audit can assess whether the business has paid sufficient attention to the need to remodel supply chains and outsourcing strategies to improve its operational resiliency.
blue circuit board

Cyber security and data privacy in the expanded work environment 

The wide-scale shift to homeworking arrangements rapidly increased the vulnerability
of organizations to cyber attacks as work laptops are now forced to share home WiFi networks. There is also a greater potential for controls and safety measures to soften or be circumvented when employees are unsupervised, as they are often overlooked and ignored to save time. Advancements of technology also increase the sophistication and frequency of cyber security attacks and frauds.

  • Internal Audit can offer its view on the extent to which any relaxing or adaptation of controls has increased the risk of data leakage or security breaches. Internal Audit should also check whether cyber security awareness is being sufficiently fostered and whether staff training has been updated in light of changes to the working environment and IT infrastructure.
  • Internal Audit should improve the organisation’s understanding of cyber security risks and identify possible mitigation strategies to these risks to determine if cyber risks have been adequately managed.

Climate change: the next crisis

Internal Audit increasingly recognises the challenge and risks companies face in achieving their sustainability goals and minimizing their contribution to climate change.

  • Internal Audit can assist to establish how well prepared we are for the climate crisis and what we are doing to ensure we are turning it to our advantage rather than contributing to it. Internal Audit can examine this area at an operational level too, given its deep view into the processes that are related to and impacted by sustainability, from materials sourcing to transport and logistics and waste management.

Culture and behaviour soft controls 

Recent studies have shown that companies with a clear purpose and an explicit set of values are more successful; they instill trust from customers and promote comradery among employees.

  • Internal Audit should continue to conduct soft control audits to provide assurance over the current culture in the organisation and its impact on the effectiveness of the controls set in place.

Regulatory driven risk 

Regulatory compliance is driven by ensuring compliance with a number of regulations, both domestically and abroad. Organisations, regardless of industry, are being inundated with new regulatory requirements. These new regulations place growing pressure on executive management and add complexity to the organisational governance and control structure.

  • Internal Audit needs to have a strong understanding of the existing regulatory landscape in which the organisation operates in order to assess compliance with relevant regulatory laws and regulations.
  • Internal Audit can make use of benchmarking and good practice examples to effectively implement legislation requirements into strategies and ensure long-term compliance.

Data management and data and analytics 

Data collection and management is expanding extremely rapidly making the adoption of data and analytics crucial. Technological advances provide businesses with the opportunity to enhance productivity and make smart business decisions, and it is essential that organisations identify the possibilities and risks of integrating these technological capabilities into their business operations and strategies.

  • Internal Audit should assist the organisation with the creation and implementation of data analytics tools and dashboard reporting that is aligned with business needs. Internal Audit plays an important role in developing system-generated exception reporting and automated controls in order to monitor key risk areas.