Tapping into internal audit’s holistic view of risks

A look at emerging risks that should be front-and-center for internal auditors in the current environment.

When COVID-19 began to disrupt businesses across the globe last year, internal auditors shifted their focus to the critical risks posed by the virus, identifying and reviewing management’s assessment of those risks as well as related remediation plans and controls. Audit committee members we surveyed last summer said that, by and large, that shift was successful, and internal audit plans proved flexible. Today, internal auditors face a similarly difficult challenge: identifying emerging risks that are critical to the company’s operations, strategy, and reputation while ensuring that their audit plans are risk-based, flexible, and dynamic in light of COVID-19 developments, the recession, and other macrotrends.

From an internal audit perspective, assessing the critical risks and strategic opportunities in this environment will require

  • a solid understanding of both the business strategy and operations at all levels of the organization and the expectations of the company’s key stakeholders; 
  • an ongoing assessment process; and  
  • integration and collaboration among internal audit, second-line functions, and functional and business unit leaders.


Stephen T. Dabney

Stephen T. Dabney

Leader, KPMG Audit Committee Institute, KPMG US

Michael A. Smith

Michael A. Smith

Partner, Advisory, and U.S. Internal Audit Solution Leader, KPMG US

+1 214-840-6019

In addition, internal audit should ask the following key questions to help frame and focus its work:

  • What’s changed in the operating model?
  • What risks are posed by the company’s digital transformation and its sourcing, outsourcing, and sales and distribution channels?
  • Is the company sensitive to early warning signs regarding safety, product quality, and compliance?
  • What longer-term impact will accelerating megatrends have on the new business and risk environment?

As internal auditors adjust their audit plans, seven emerging risks should be front-and-center.

Cybersecurity and data governance. Cybersecurity remains a top risk, given the shifts to remote work, digital transformation, online customer engagement, and the growing sophistication of cyber attackers. The recent SolarWinds cyberattack has increased concerns about the risks posed by third-party vendors. Among the questions internal audit should be asking: Does the company’s data governance framework make clear how and what data is being collected, stored, managed, used, and accessed—and who makes decisions regarding these issues? Are monitoring and response plans focused on limiting day-one impacts when a breach occurs?

Culture, ethics, and compliance. COVID-19 has increased the reputational costs of an ethics or compliance failure, particularly given the changed control environment, increased fraud risk, and the pressure on management to meet financial targets.

Evolving COVID-19 risks. Leaders must grapple with reopening their businesses, managing remote workforces, accelerating digital transformation, building more resilient supply chains, and strengthening connections with customers. Navigating this uncertain environment will require a sharp focus on people, liquidity, operational risks, and contingencies while maintaining sight of the overall strategy.

Accelerating megatrends. From climate risk to cyber threats, scenario planning will be critical as we adjust to the new normal, and internal audit needs a seat at the table.

Environmental, social, and governance (ESG). COVID-19 is accelerating shifts in how stakeholders view corporate performance and companies oversee and disclose ESG risks. Internal audit should understand ESG strategy to provide assurance and advise on controls.

Human capital management. Issues related to COVID-19 and social unrest have amplified the importance of human capital management to a company’s performance and reputation, driving demand for better disclosure of how the board oversees human capital and talent development programs and their link to strategy.

Regulatory enforcement. Consider the risks posed by increased regulatory enforcement going forward. Tax reform, the U.S. Securities and Exchange Commission’s regulatory agenda, trade policy, climate-related regulation, and other changes will require internal audit’s attention in coordination with the enterprise response.

Crisis readiness. Is the company prepared for the next major crisis? Can the lessons of 2020 help build a more resilient enterprise that can quickly respond to growth opportunities and adversity?

Given the unprecedented complexity and uncertainties ahead, it has never been more important for internal audit—as the audit committee’s eyes and ears—to help paint a holistic picture of the company’s vulnerabilities and opportunities. That will require details and data, but the big picture is vital.

This article originally appeared in the March/April 2021 issue of NACD Directorship magazine.

Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates or related entities.

Download PDF

Tapping into internal audit's holistic view of risk
Emerging risks that internal auditors should have on their radars as they adjust their audit plans.

Receive the latest from KPMG Board Leadership Center

Board Leadership Weekly, Directors Quarterly, and more

Board Leadership Weekly, Directors Quarterly, and more