Key risks to consider by Internal Audit in 2024

Internal Audit must have a sound understanding of the macroeconomic and geopolitical factors that can significantly impact organizational stability and performance. IA should consider the implications of regulatory changes for organization’s international sales activities. This includes for example:

• Trade compliance requirements.
• Restrictions to export specific technology.
• Country-specific risks that affect local sales and profitability.
• Currency fluctuations that can negatively impact gross and net margins. 

Furthermore, the geopolitical context should be included in the assessment of potential fraud risks by considering publications such as the World Economic Forum’s (WEF) Global Risk Report. IA should have a comprehensive understanding of interdependencies. Finally, IA must consider the overall design (methodology), setup (completeness of framework), application (effectiveness) and continuous improvement (evolution) of the organization's compliance management systems (CMS), which put the organization's global regulation and local enforcement into perspective.

An effective people and talent management plays a pivotal role in building and maintaining organizational trust and is the foundation of a “happy” workforce. IA can contribute to the long-term goal of increasing employee well-being by addressing topics such as alignment of the workforce base with the organization’s long-term strategic growth objectives (i.e., workforce planning needs vs. actual availability vs. organizational readiness vs. approved FTE budgets); the design and effectiveness of internal programs related to talent management, succession planning and employee development (i.e., diversity and retention programs); or the consideration of how internal governance structures provide appropriate accountability for the factors that impact the organizational trust and publicly stated commitments (i.e., ambition vs. actual enactment vs. public perception). 

Resilience and cybersecurity are important components of an organization when dealing with external, imminent and hard-to-predicting threats. Resilience addresses the level of readiness and flexibility for potential disruptions caused by internal or external incidents, while cybersecurity protects against digital threats that can affect the organization’s entire IT infrastructure (i.e., production and industry systems, ERP-systems, intellectual property and innovation etc.). The effective and efficient setup, alignment, and execution of these programs ensures that the business can withstand and recover from actual incidents, maintain operational continuity and minimize damage. IA can support the effectiveness of a resilient organization by assessing how the dynamic nature of cybersecurity risks is being dealt with by the IT organization on a recurring basis, reviewing and testing measures and response plans to protect the organization’s assets (i.e., annual testing of the resilience organization, continuous improvement process) and benchmarking the internal setup against best practices.

Digital disruption refers to the transformative impact of technology on the traditional design of the organization’s business model. It addresses questions around the speed of “digital programs” and their operational success (i.e., organizational acceptance, efficiency gains, etc.). While most thought leadership publications link digital disruption to AI (Artificial Intelligence), blockchain or IoT (Internet of Things), the transformation of business operations and the design of a more efficient value chains can take different forms. IA can support this transformation by addressing questions such as how new technologies are being embraced by the organization (i.e., level of implementation and workforce acceptance, cost improvement and efficiency) and whether related programs are actually delivering on their promise (i.e., plans vs. actual delivery vs. costs incurred vs. measured value vs. long-term impact on value-added or supporting processes). 

ESG considerations are increasingly an integral part of Internal Audit activities and should be considered beyond simple, one-time ESG-related audit missions. Besides assessing an organization's level of compliance with ESG regulations, IA should therefore focus on reviewing the overall ESG program and its long-term sustainability in terms of cost, benefits, success and integration into other programs on a recurring basis. By incorporating ESG considerations into standard audit processes, IA helps to increase transparency (ESG perspective on each topic audited), mitigate risks more effectively (i.e., ESG reporting) and align with evolving expectations for ethical and sustainable business practices.