How internal auditors are adjusting to changing risk profiles

Stephen Dabney and Michael A. Smith of KPMG identify emerging risks for internal auditors to have on their radars.

Last year, as COVID-19 disrupted lives and businesses around the world, internal auditors quickly shifted the focus of their audit plans to the critical risks posed by the virus, identifying and reviewing management’s assessment of those risks as well as related remediation plans and controls. Audit committee members we surveyed in June–July 2020 said that, by and large, that shift was successful, and internal audit plans proved flexible.

Internal auditors face a similarly difficult challenge in 2021: to identify the emerging risks that are critical to the company’s reputation, strategy, and operations while ensuring that their audit plans are risk-based, flexible, and dynamic amid continuing disruption and uncertainty. How is the company’s risk profile changing in light of COVID-19 developments, the recession, trade and geopolitical tensions, and other megatrends?

Making those assessments will require:

  • a solid understanding of the business strategy and operations throughout all levels of the organization and the expectations of the company’s key stakeholders
  • an ongoing risk assessment process (rather than an annual or semi-annual event)
  • coordination and collaboration among the internal auditor, the chief risk officer, and functional and business unit leaders.
Stephen T. Dabney

Stephen T. Dabney

Leader, KPMG Audit Committee Institute, KPMG US

Michael A. Smith

Michael A. Smith

Partner, Advisory, and U.S. Internal Audit Solution Leader, KPMG US

+1 214-840-6019

To help frame and focus its work, internal audit should ask:

  • What has changed in the operating environment?
  • What risks are posed by the company’s digital transformation and its sourcing, outsourcing, and sales and distribution channels?
  • Is the company sensitive to early warning signs regarding safety, product quality, and compliance?
  • What longer-term impact will accelerating megatrends have on the new business and risk environment?

Based on our survey work and discussions with audit committee members and internal auditors, we identified emerging risks that internal auditors should have on their radars as they adapt their internal audit plans in the months ahead.

Cybersecurity and data governance risks. It’s no surprise that cybersecurity remains a top risk given the shifts to remote work, digital transformation, online customer engagement, and the growing sophistication of cyberattackers, including nation-states. The SolarWinds cyberattack increased concerns about the risks posed by third-party vendors. Among the questions internal audit should ask: Does the company’s data governance framework make clear how and what data is being collected, stored, managed, and used—and who makes decisions regarding these issues?

Culture, ethics, and compliance risks. COVID-19 has increased the reputational costs of an ethics or compliance failure, particularly given the changed control environment, increased fraud risk, and pressure on management to meet financial targets.

Evolving COVID-19 risks. Leaders are grappling with reopening their businesses safely, managing remote workforces, accelerating digital transformation, building more resilient supply chains, and strengthening connections with customers. Navigating the uncertainty will require a sharp focus on people, liquidity, operational risks, and contingencies while keeping sight of the broader strategy.

Longer-term risks posed by accelerating megatrends and the new normal. From climate risk to cyber threats, scenario planning will be critical as companies adjust to their new normal. It’s critical that internal audit has a seat at the table.

ESG risks. COVID-19 is accelerating shifts in stakeholder views of corporate performance and how companies oversee and disclose ESG risks. Internal audit should understand the company’s ESG strategy to provide assurance and advise on controls.

Climate change risk. “Climate change is one of the greatest challenges facing the planet today, and we believe businesses are an essential part of the solution,” said Doug McMillon, president and CEO of Walmart Inc. and chairman of Business Roundtable, in a statement last September.1 In his 2020 letter to CEOs, BlackRock Chairman and CEO Larry Fink called climate change a “defining factor in companies’ long-term prospects” and predicted that “we are on the edge of a fundamental reshaping of finance” as investors seek “to understand both the physical risks associated with climate change as well as the ways that climate policy will impact prices, costs, and demand across the entire economy.”2 The Biden administration has made climate a key priority on its policy agenda, and the SEC has made corporate disclosure requirements concerning climate change a top priority,3 creating an enforcement task force focused on climate and ESG issues.4 In this environment, internal audit will want to prioritize climate risk and assess whether management’s ERM processes include an appropriate focus on the risks that climate change poses to the company’s strategy, operations, and reputation.

Human capital management risks. COVID-19 and social unrest have amplified the importance of human capital management to a company’s performance and reputation, driving demand for better disclosure of how the board oversees human capital and talent development programs and their link to strategy.

Risks posed by the federal agenda. What risks will the Biden administration’s policy initiatives pose in 2021 and beyond? Internal audit should focus its attention in coordination with the company’s enterprise-wide response to near-term policy initiatives, such as the economic stimulus package, tax reform, infrastructure, the SEC’s regulatory agenda (particularly potential new disclosure rules regarding ESG issues), trade policy, and climate-related regulation. The risks posed by reregulation, new regulation, and stepped-up regulatory enforcement must also be considered.

Crisis readiness. Companies’ crisis response plans must focus on resilience—maintaining operations in the face of a disaster. How robust are management’s plans? Is the company prepared for the worst-case scenarios—e.g., extended periods of supply chain disruption, substantial sustained reduction in sales and revenue, and the loss of key personnel?

In assessing these and other risks, the details and the data are critical. But given the unprecedented complexity and uncertainties ahead, it has never been more important for internal audit—as the audit committee’s eyes and ears—to help paint a holistic picture of the company’s vulnerabilities and opportunities to help it keep sight of the big picture.

For additional reading, see Getting better at seeing ahead and find more on internal audit and enterprise risk at

Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates or related entities.


1 Business Roundtable: Market-Based Solutions Best Approach to Combat Climate Change, Business Roundtable press release, September 16, 2020.

2 Larry Fink’s 2020 letter to CEOs, BlackRock, Inc., 2020.

3 Statement on the Review of Climate-Related Disclosure, Acting SEC Chair Allison Herren Lee, February 24, 2021.

4 SEC Announces Enforcement Task Force Focused on Climate and ESG Issues, March 4, 2021.

Download PDF

How internal auditors are adjusting to changing risk profiles
Adapting internal audit plans to emerging risks.

Receive the latest from KPMG Board Leadership Center

Board Leadership Weekly, Directors Quarterly, and more

Board Leadership Weekly, Directors Quarterly, and more