At a time of unceasing change and disruption, internal auditors are under more pressure than ever before to get ahead of potential risks. Colm Laird outlines some of their most pressing priorities for 2025
Internal auditors must remain agile and responsive to change as their organisations contend with fast-evolving challenges.
Having endured unprecedent levels of uncertainty and disruption in recent years, many organisations continue to face threats and challenges posed by prevailing economic and geopolitical conditions, changing stakeholder outlooks, stringent regulatory requirements and heightened digitisation.
Outlined here are some of the key thematic areas and related risks internal auditors should consider in 2025 when assessing their organisation’s risk profile and control environment.
Economic and geopolitical uncertainty
Despite years of economic and geopolitical instability, global economic growth remained resilient in 2024, with further recovery expected this year. The geopolitical landscape remains unstable, however, with escalating conflicts, trade tensions and political transitions all posing potential risk.
Inflation is falling, leading to lower interest rates in the European Union, Britain and the US, as evidenced by the three rate cuts introduced by the European Central Bank in 2024.
Despite this trend, some sectors remain cautious due to ongoing uncertainties and potential supply chain disruptions.
Organisations should prioritise implementing long-term strategies to navigate these challenges and manage associated risks.
Internal auditors should assess how the first and second lines of defence can effectively mitigate increased risks and impacts, focusing on long-term strategies, third-party supplier vulnerabilities and capital planning and management procedures.
Operational resilience
Mounting global interdependency, technology-led transformation and recent service outages all point to increased potential for organisational disruption.
Alongside economic, geopolitical and environmental instability, this trend highlights the need for organisations to:
Manage operational risk.
Plan for contingencies.
Maintain up-to-date business continuity, disaster recovery and cyber response plans.
Having taken effect in January 2025, the EU’s Digital Operational Resilience Act (DORA) applies to financial entities and their third-party information and communication technology (ICT) providers.
Published by the EU Commission, DORA creates a comprehensive framework designed to help financial firms endure ICT-related disruptions and remain operational.
To support this, internal auditors should assess the effectiveness of operational resilience and crisis management protocols, ensuring key threats are addressed and response plans are adequate.
They should also review business continuity measures to ensure emerging risks are considered.
Third-party relations and supply chain
Supply chain risks have been heightened by the fragmented geopolitical landscape dominated by ongoing conflicts in Ukraine and the Middle East, protectionism, policy interventions and shifting consumer expectations.
These factors influence organisations’ supply chain strategies and investments, increasing complexity and cost. Here, the robust risk management of outsourced relationships and supplier diversification is critical.
Organisations must also enhance transparency, ethics and environmental, social and governance (ESG) implications in their supply chains, carrying out risk assessments and due diligence of third parties.
Additionally, automation of supply chains using artificial intelligence (AI), blockchain and machine learning is increasing.
Internal audit must, therefore, assess the maturity and resilience of supply chains and advise on the suitability of the supply chain operating model, ensuring all risks associated with current macroeconomic and geopolitical conditions are considered.
Talent management and retention
The recruitment and retention of skilled personnel remains a significant hurdle for many employers who continue to face challenges sourcing talent in a candidate-led recruitment market.
Exacerbating factors include the availability and affordability of housing, salary expectations and flexible working demands.
Many organisations are reverting to pre-pandemic working arrangements, with current trends suggesting we will see more of this in 2025.
Employees are increasingly seeking out more meaning, purpose, fulfilment and flexibility in their work. Those organisations that fail to adapt their value proposition to this shift may struggle to attract and retain the people they need.
Here, internal auditors should appraise their organisation’s workforce planning, talent acquisition and retention strategies, with the aim of understanding and mitigating the impact of staff shortages and turnover.
Management oversight should also be assessed alongside initiatives aimed at enhancing the value proposition for employees with a particular emphasis on soliciting employee input and feedback.
Environmental, social and governance
Beyond mere compliance, many organisations view ESG as a means to enhance value, attract talent, strengthen employee engagement and drive financial performance.
The EU’s Corporate Sustainability Reporting Directive (CSRD) mandates in-scope organisations to be transparent and accountable regarding ESG matters.
In 2025, those companies first in-scope for CSRD will be required to disclose detailed ESG information for 2024, and more organisations are set to fall within scope of the Directive in the years ahead.
Increased non-financial reporting requirements, combined with stakeholder expectations, compel organisations to integrate ESG into their core strategies.
They must consider both their own “inside-out” impact on people and the environment and the ESG-related risk and opportunities they face from an “outside-in” perspective.
For their part, internal auditors should review their organisation’s CSRD reporting readiness assessments to ensure that the appropriate processes are in place to support the introduction of ESG metrics.
ESG risks and strategies should be aligned with initiatives such as the United Nations’ Sustainable Development Goals and the European Green Deal.
Fraud and financial crime
The prevalence and potency of fraud and financial crime is escalating globally. Sophisticated techniques have intensified the velocity, veracity and volume of fraudulent activity, heightening risks as traditional defences struggle to keep pace.
Advances in technology have given criminals greater scope to exploit organisational vulnerabilities, highlighting the need for robust, adaptive approaches to combat evolving threats.
Fraud and financial crime transcend borders, complicating investigations and prosecutions. Increased global connectivity exacerbates these threats, as instability in one region can impact global markets.
In response to these developments, internal audit should assess the strategies, tools and technologies deployed in their organisation to ensure that risks associated with fraud and financial crime are managed, while also providing advice on governance and control matters.
Cyber security
As we look to the year ahead, cyber security will continue to be a key focus for organisations.
Cyber-attacks and data breaches rose in 2024, with increasing velocity, volume and sophistication, exacerbating threats to business continuity and heightening the risk of both reputational damage and financial loss.
The ongoing digitisation of business models and processes, and increasingly sophisticated technology available to cyber criminals, necessitates the introduction of robust cyber security measures so that organisations can maintain operations, safeguard stakeholder trust and mitigate future attacks.
Organisations must embed cyber security in core processes and raise workforce awareness to reduce the impacts of inevitable cyber-attacks.
Internal auditors should assess existing controls to mitigate cyber security risks and provide assurance on governance and oversight structures across the three lines of defence.
Data privacy and governance
In a technology-enabled environment, organisations must prioritise data privacy and protection.
The EU’s General Data Protection Regulation (GDPR) enforces strict regulations protecting personal data, granting individuals control over their information.
Organisations must review their data privacy frameworks to ensure GDPR compliance. Non-compliance amplifies legal and financial risks and exposes organisations to reputational damage.
Global interconnectedness magnifies the importance of complying with international data transfer rules.
The Data Protection Commission Annual Report 2023 highlighted issues regarding the unauthorised access and disclosure of personal data, often due to employees’ lack of understanding of their responsibilities.
Internal auditors should assess their organisation’s data privacy and protection framework, ensuring compliance with regulatory requirements in data collection, retention, disclosure and transfer, as well as ensuring sufficient staff awareness and appropriate training. Reviews should identify third-party processors and monitor their access to organisational data.
Digital disruption and emerging technology
The emergence of AI has garnered many headlines and much excitement among those convinced of its potentially transformative effects on life and business. In tandem with this potential, however, comes a raft of new AI-enabled risks and concerns regarding appropriate usage.
In response, the European Parliament has approved the EU AI Act, effective from 1 August 2024, with the aim of ensuring a balanced approach to AI adoption and safeguarding against risk.
The Act establishes tiered regulatory requirements for AI applications based on risk levels, with prohibitions on certain AI systems coming into effect in February 2025 and the majority of provisions applying from August 2026.
Here, organisations are advised to adopt an integrated approach across legal, compliance, IT and product delivery functions to navigate AI’s complex regulatory environment while also addressing emerging technology risks.
Internal auditors can advise on governance and control matters, engaging with management to enhance AI governance frameworks and internal controls.
Regulatory-driven risk
Organisations face an unprecedented level of regulation in 2025. Regulatory environments continue to evolve, requiring compliance in areas such as ICT, AI, ESG, anti-money laundering and data privacy and security.
This regulatory burden challenges organisations to ensure compliance while remaining agile and adaptable to new obligations.
Internal auditors must understand the regulatory landscape so that they may thoroughly assess governance structures and controls for compliance.
Management oversight and control structures should also be evaluated to determine the organisation’s preparedness for future compliance requirements.
Internal auditors should also remember that the Institute of Internal Auditors 2024 Global Internal Audit Standards, the main component of the International Professional Practices Framework, are effective since 9 January 2025.
Colm Laird is a Director with KPMG Ireland, specialising in risk, governance and internal audit