Key Auditor Priorities for 2025 Inspections

🔎 Internal Audit in 2025: In today’s volatile, tech-driven landscape, internal audit functions are under pressure to expand their oversight beyond traditional risks. KPMG’s 2025 guidance recognizes the growing need for dynamic, predictive, and tech-integrated auditing—particularly when it comes to #financialcrime risk, third-party oversight, and #regulatory assurance. 💥 Polycrisis = #Compliance Complexity From inflation shocks to geopolitical fragmentation and supply chain fragility, the era of “polycrisis” is reshaping control environments. For FCC professionals, this raises red flags across: • #Sanctions circumvention through alternate payment routes • Corruption risks in unstable jurisdictions • Data governance gaps in supplier onboarding Internal #Audit is urged to embed geopolitical risk assessment into audit plans, mirroring how financial crime teams now incorporate sanctions regimes, export controls, and reputational screening. 🔗 Third Parties & Supply Chain Outsourced processes and third-party vendors—often handling KYC, data processing, or customer support—are under the microscope. KPMG stresses that internal audit must now: • Evaluate the resilience and ethics of third-party networks • Review how ESG, transparency, and data handling risks are managed • Challenge any concentration risk in jurisdictions with #AML or bribery exposure This aligns closely with FCC obligations to monitor third-party onboarding, UBO, and vendor involvement in customer journeys. 🛡️ Cybersecurity & Data Privacy Cyber breaches, data leaks, and privacy violations are not just IT issues—they’re core FCC risks with direct implications for regulatory breaches, reputational harm, and insider fraud. The report calls on Internal Audit to: • Perform technical assessments (e.g., penetration testing, access management) • Review breach response protocols, especially for cross-border incidents • Validate controls around data collected through digital #KYC and onboarding For FCC teams, this overlaps with safeguarding SAR confidentiality, PEP screening results, and customer risk ratings. ⚙️ AI, Emerging Tech & Regulated Automation KPMG highlights the need for audit coverage of AI deployments—especially where used in decision-making, client due diligence, or fraud detection. Internal Audit should assess: • How AI is trained and validated • If models are explainable and free of bias • Whether appropriate controls exist over algorithmic updates. 📉 Liquidity, Inflation, and Financial Exposure Audit functions are expected to probe financial strain risks—including liquidity crunches and inflationary pressure—which may drive desperation-driven misconduct such as: • Insider trading • Fraudulent expense practices • Manipulation of reporting thresholds Internal Audit must remain vigilant in testing internal controls, whistleblower frameworks, and cash flow integrity—areas tightly coupled to AML, fraud, and internal crime detection frameworks.

What to audit in 2026? The Risk in Focus 2026 Global Summary shows how fast the world of risks is shifting. Some lessons stand out clearly: ➤ Global view ↳ Cybersecurity remains the top risk and top audit priority. ↳ Digital disruption (including AI) jumped sharply to No. 2 risk worldwide. ↳ Geopolitical uncertainty is rising, especially in North America, Europe, and Latin America. ↳ Business resilience, human capital, and regulatory change remain high on the list. ➤ Asia Pacific view ↳ Top risks are cybersecurity, business resilience, and human capital. ↳ Digital disruption is rising, but there’s a gap: 39% see it as a top risk, yet only 25% list it as an audit priority. ↳ Geopolitical risk is lower here (35%) than the global average, but still growing. ↳ Human capital risk is especially pressing, with skill shortages and talent migration challenging organizations. 💡 Actionable insights for internal auditors ↳ Close the gaps: Align audit priorities with emerging risks like AI and digital disruption. ↳ Strengthen talent focus: Support your organizations in upskilling, retention, and adapting to workforce changes. ↳ Build resilience: Use audits to test how organizations respond to shocks in supply chains, markets, and geopolitics. ↳ Stay forward-looking: Move beyond assurance to provide foresight on technology and regulatory shifts. What do you see as the biggest gap between risks and audit priorities in your organization? Reference: Risk in Focus 2026 Global Summary. 2025. Internal Audit Foundation, The Institute of Internal Auditors Inc. (link to download the publication is provided in the comments) #InternalAudit #ITaudit #digitaltransformation

The New Global Internal Audit Standards become effective on January 9, 2025, centers on a fundamental shift from a compliance-focused practice to a strategic, value-driven function. Led by the Institute of Internal Auditors (IIA), this updated framework is more agile, principles-based, and prescriptive, equipping internal auditors to address the complex and rapidly changing risk landscape. Key themes dominating the conversation in 2025 include: Strategic alignment and enhanced governance Mandatory strategy: Chief Audit Executives (CAEs) are now required to develop and implement a formal strategy for the internal audit (IA) function that aligns with the organization's strategic objectives and stakeholder expectations. Increased board engagement: The new standards mandate increased involvement from the board and senior management. This includes formally authorizing the IA charter and collaborating on performance metrics to ensure IA's mission and strategic value are understood. Collaboration across defense lines: The standards require CAEs to actively coordinate with other assurance providers and the "three lines of defense" (management, risk management, and internal audit). This reduces redundancies, improves efficiency, and gives the board a more complete view of the organization's risk profile.  Leveraging technology Tech-driven assurance: IA functions are under pressure to adopt technology like AI, data analytics, and workflow automation to enhance efficiency, quality, and precision. AI is used to automate manual tasks and perform deeper, continuous risk sensing rather than periodic reviews. Digital strategy: The standards require IA to have a defined digital strategy. Technology should be used comprehensively to enhance processes, from automating delivery to using advanced analytics for fraud detection and continuous monitoring. Next-generation auditor skills: The rise of new technologies demands that auditors acquire new skills in areas like data science, AI, and cybersecurity. Firms are focusing on digital upskilling and leveraging co-sourcing to bridge talent gaps. Performance beyond compliance: The definition of quality has expanded beyond simple conformance to the standards to include performance that demonstrates strategic value. IA teams are moving from a "check-the-box" mentality to a more forward-looking, proactive advisory role. Evaluation of findings: Findings must now be prioritized based on significance and include an engagement conclusion that summarizes results against engagement objectives. Updated quality assurance (QA): Requirements for the Quality Assurance and Improvement Program (QAIP) have been elevated. This includes assessing IA's contribution to governance and risk processes and regularly monitoring performance against objectives. New topical requirements: The IIA is introducing "Topical Requirements" to provide mandatory guidance on critical and emerging risk areas.

What Can You Learn from Deloitte's 2025 FRC Review? Seven good practices you can implement today. And two areas of improvement to avoid… The FRC's annual review of Deloitte's 2025 audits has highlighted several important points that other accounting firm leaders can learn from. Overall, 95% of Deloitte’s audits inspected were graded as “Good or limited improvements required”. None of their audits were graded as “Significant improvements required”. Here are the highlights: Good Practices: - Robust risk assessment procedures  - Effective group audit oversight  - Accounting estimates and judgements - Revenue, effective data analytics, and extensive alternative procedures confirmed completeness  - Quality Management Technical panel assessed the complex accounting approach and conclusions  - Climate disclosures: TCFD improvement suggestions with peer company examples  - Reporting to the Audit Committee, good standard with detailed risk assessment Lessons to Learn: 1. To improve the quality and consistency of audits involving valuation and impairment assessments, auditors must rigorously evaluate and challenge management’s forecasts, assumptions, and indicators of impairment when assessing asset recoverability. They must also thoroughly test the completeness and accuracy of data inputs used in valuation and impairment models to avoid similar shortcomings. 2. To improve aspects of the audit of revenue, auditors must apply rigorous procedures when evaluating contract accounting, including the reliability of forecast revenue supporting asset valuations. They must also strengthen substantive analytical procedures (when used) testing by setting precise expectations, investigating variances thoroughly, and validating data inputs to avoid recurring weaknesses. All firms can learn from the findings shared here from the FRC’s regulatory inspections. This is the black box of the audit world. Most of these learnings apply no matter what your firm's size or geography. Read the key points in my summary!  

Boardrooms Under Pressure ...... Why Audit Committees Are Feeling the Strain The Expanding Mandate Audit committees today are navigating far more than balance sheets. According to the KPMG Audit Committee Survey Report 2025, oversight responsibilities now stretch across cybersecurity, data governance, ESG, AI, and geopolitical volatility. This expansion has made the traditional remit of financial reporting just one part of a far more complex landscape. Boards rank digital oversight as their biggest concern. With 78% citing cybersecurity as a top priority, followed by insider threats and data privacy, it’s clear that the risk environment is evolving faster than boardroom skills. Notably, oversight of GenAI adoption remains weak, despite its rising use in business operations. Source : KPMG Report 2025 #Corporategovernance #Independentdirectors #Auditcommitees #Boardroomreforms