• 1000

Annual risk-oriented audit planning is both mandatory and optional. In a changing world characterised by globalisation, climate change, geopolitical risks and advancing digitalisation, the primary task of internal auditing is to anticipate new risks and consistently align its own approaches and methods accordingly. The VUCA risks (volatility, uncertainty, complexity and ambiguity) lead to a challenging dynamic for the risk orientation of internal auditing, which is expressed in particular in risk-oriented audit planning.

Risk-oriented audit planning should be determined based on the organizational risk profile (GIAS Standard 9.1). Audit planning is based on data from previous audits, risk management, compliance, accounting, and business processes. Additionally, individual factors and EHS information (Environment, Health, Safety) are incorporated into the planning. Furthermore, compliance with topical requirements1 must be considered in the relevant audit areas. Approximately 40 percent of the participants in the survey2 we conducted indicated that the topical requirements have already been extensively or fully considered in the current audit planning.

In our view, the following KPMG Internal Audit Hot Topics represent a selection of current topics, trends and drivers.

They can be divided into four areas of consideration:

Mark Frederik Schmidt

Mark Frederik Schmidt

Senior Manager, Audit - Regulatory Advisory, Sustainability Reporting & Governance

KPMG AG Wirtschaftsprüfungsgesellschaft
+49 89 9282 4907 Mark Frederik Schmidt Phone number
Submit RfP

Compliance

  • EU AI Act – Risk-based classification, requirements for high-risk AI systems, rules for general purpose AI models
  • NIS2 – Extended scope of application, definition of risk and crisis management components, enhanced reporting obligations for incidents
  • Cyber Resilience Act – Digital products need to adhere to the CRA with security by design, vulnerability management and incident reporting
  • Whistleblower Protection Act – Reporting channels, case management, safeguard measures for whistleblowers
  • FISG and GCGC A.5 Compliance – Basis and validation process for the statement upon appropriateness and effectiveness of corporate governance systems in the management report
  • Sanctions and embargoes – Compliance requirements for businesses, policies and procedures to manage associated risks, monitoring/handing of false positive screening alerts
  • Risk management – Process-independent monitoring of the risk early warning system

Operational

  • Resilience and business continuity – Business impact analysis and business continuity strategy
  • Macroeconomics and geopolitical uncertainty – Supply chain disruption, financial resilience, inflation and liquidity, trade embargoes and sanctions
  • Tariff strategy – Complexity, disruption and rapid changes due to new or altered customs announcements (for example, impact, risk management, scenarios, and strategy)
  • Dealing with external risks – Identification, assessment, management and monitoring of external risks, reprioritize audit plan
  • Stakeholder relationships – Business partner due diligence and know your customer
  • Finance transformation – New ERP, automation, digitalisation
  • HR transformation – Diversity, talent management, employee retention

IT-Systeme und Data-Governance

  • Industrial control system – Efficient and safe operation of machinery and equipment as well as IT security in the areas of factory automation and process control
  • Cybersecurity and data protection – Cybersecurity maturity, adequate measures to prevent data loss incidents
  • AI governance (GenAI) – Requirements for deployment and use of GenAI tools, AI risk & compliance assessment, AI security and privacy strategy, AI assurance and risk monitoring
  • DAC 7 – Compliance with e-invoicing and tax obligations
  • Hybrid working – Data protection and security requirements
  • ESG Reporting – Integration of ESG reporting tools into the existing IT structure

ESG

  • ESG regulations and transformation – Monitor regulatory changes and make changes in established processes
  • ESG - Governance – Target operating model, evaluation and monitoring of the achievement of corporate social responsibility goals
  • ESG risk management – Integration of ESG risks into the company-wide risk management system, considering physical and transition risks regarding climate change and further environmental topics, social and governance risks
  • ESG Data Governance – Collection, processing and verification of non-financial data generated by various groups, implementation of internal controls (COSO Framework)
  • EU CSDDD – Readiness and compliance with legal requirements regarding human rights and environment protection
  • CSRD and/or voluntary reporting (VSME) Readiness and Maturity – Proper ESG reporting
  • EU Deforestation Regulation – Supply chain and due diligence
  • EU Green Deal Compliance – Resource efficiency, green technologies, transparency of reporting
  • Perfluoroalkyl and Polyfluoroalkyl Substances (PFAS) – Readiness for future requirements
  • Carbon Border Adjustment Mechanism (CBAM) – Compliance with requirements in connection with CO2-border-adjustment levy
  • Energy transition – Energy strategy, change programs, monitoring
Auditor change category
The new Global Internal Audit Standards

The standards have an impact on the interaction and working methods of Internal Audit.

1 Topical requirements are specific standards designed to improve the quality and coherence of internal audits. For specific topics, these requirements must be adhered to during the execution of audit engagements.

2 KPMG GIAS Survey (August 2024)