IT Internal Audit Planning for 2025

Read our companion global article: The KPMG Global IT internal audit outlook:

As IT audit teams are actively planning for 2025, it is important for them to understand the organizational IT strategy and align the plan to the strategic direction of the company. With so much change, such as the continued evolution of the cloud landscape, artificial intelligence (AI), increased levels of technical debt and increased focus from regulators on IT matters, organizations must be able to articulate how their plan is aligned to the risks of the enterprise.

With this understanding, a comprehensive and high-impact technology audit plan should be developed that aligns to company-wide growth strategies and associated risk factors to drive value throughout the entire organization. The use of company-wide strategic objectives, as well as external factors (e.g. new technologies, changes in regulations) and alignment with the enterprise risk team to build the plan can also foster alignment between Internal Audit and business units within the organization (enterprise risk management (ERM) and information security, legal, etc.), enhancing the organization's ability to mitigate risks, and facilitating the creation of value-driven initiatives that drive growth and deliver benefits across the enterprise.

Once key audits have been identified, it is important to be thoughtful about how each is scoped and approached to ensure the plan focuses on the risk objectives previously identified and potential value to the organization. In this publication, we will highlight what we see across the marketplace to help you drive value throughout your plan, as well as ‘hot’ topics to consider as you develop your 2025 audit plan.

Download our article here.

Topics to Integrate for Your 2025 Planning

Application modernization and legacy technology risk: Legacy technology management presents significant risks for organizations, including security vulnerabilities and increased exposure to cybersecurity attacks due to outdated systems and limited support from vendors, leading to potential operational disruption security threats.

Cloud strategy: The wide adoption of cloud computing without proper governance measures can lead to security risks, unnecessary costs from underutilization and overpaying for services, as well as challenges in managing multiple cloud providers and optimizing spending.

Artificial intelligence (AI): The emergence of AI technology presents significant disruption and risk, due to the need for changes in thinking and behavior, the generation of new operational and strategic risks, as well as potential challenges in quantifying and mitigating risks.

Operational technology (OT) / Internet of Things (IoT): The increasing sophistication of cyber attacks poses a threat to critical infrastructure and overall organizational stability, requiring alignment between business and IT to achieve operational efficiency and mitigate risks in the complex IT, OT, and IOT systems landscape.

Technology resilience: Ensuring operational and technology resiliency is crucial in preventing business interruptions that can impact organizational objectives, necessitating investment in technology solutions and processes for recovering from cyberattacks, system failures, and human errors.

IT asset management: Effective IT asset management is essential for establishing strong IT governance, as visibility into the asset lifecycle enables cost optimization, resource allocation, and identification of consolidation or standardization opportunities.

Business modernization and transformation: Implementing business modernization initiatives, whether through new technologies or processes, requires a comprehensive approach to manage risks across operational controls, change management, security, etc., in order to minimize disruptions to business operations.

Regulatory compliance: Regulatory changes impose new obligations on businesses, and IT organizations must remain informed and assess their impact on systems and processes to ensure compliance, avoiding penalties, legal issues, and reputational harm.

Third-party risk: Assessing risks associated with third-party dependencies is crucial for organizations as disruptions or failures from such providers directly impact IT operations, systems, services, and overall organizational goals.

Data governance: Data underpins every activity that organizations perform, and data governance remains one of the most important areas to be audited.

Dive into our thinking:

IT Internal Audit Planning for 2025

Download PDF

By building a robust and thoughtful 2025 technology audit plan, you can enhance Internal Audit’s role as a strategic partner with business leaders as the organization continues to evolve and adapt. Fostering alignment between Internal Audit and the senior leadership teams enhances the organization's ability to mitigate risks and facilitates the creation of value-driven initiatives that drive growth and deliver benefits across the board. To build this plan, key considerations to keep in mind include:

Reviewing and adjusting top risks to your company on a periodic basis.
Aligning audit objectives with company-wide growth strategies, whilst considering external risk factors to drive value throughout the entire organization.
Ensuring your Internal Audit team has the right training and skillsets to identify and deliver the identified audits, adding value to the business.

Finally, aligning the audit plan to the risk agenda for your organization is crucial. It requires a deep understanding of your organizational IT strategy and a careful assessment of the core activities that are essential for your success.

By identifying these key areas, you can develop a technology audit plan that is tailored to your organization's specific needs and risk profile. This targeted approach ensures that the audit plan aligns with your company-wide growth strategies and addresses the most pressing risks and challenges you may face.

By selecting the right topics, you can drive value throughout your entire organization and lay the foundation for a successful future in the rapidly evolving technological landscape.

How KPMG can help

Given how closely KPMG works with many of the world’s leading organizations, we have unique insights based on industry expertise that help us understand what a business must get right to deliver on its objectives.

An audit plan should never be constrained by the resources you have available, the breadth of services that we provide allow us to bring subject matter expertise to any audit topic which can bring not just credibility to your Internal Audit function but can also bring value to the organization.

Based on the risk within your organization and the demand for audits, we can help you to scale your resource model to be able to effectively develop and deliver your plan.

Explore more