KPMG outlines key risk areas for internal audit in 2027

KPMG has outlined some of the key focus areas for internal audits in 2027 with internal audit leaders in the process of developing their internal audit plans for 2027.

In a recent report, KPMG warned that heightened regulatory expectations, geopolitical disruption, climate-related obligations, and rapid advances in technology are reshaping how risks emerge and how assurance is delivered.

"In this context, the role of internal audit is evolving beyond periodic assurance to a more dynamic, forward-looking function - one that anticipates emerging risk and adapts audit approaches in step with the pace of change," the firm said.

The report noted that one of the key external pressures facing internal auditors was the current uncertainty in geopolitics.

Renewed US trade protectionism, export controls and sanctions have disrupted global supply chains through increased tariffs and customs enforcement.

This means internal auditors will need to carefully assess the organisation's exposure to tariffs, export controls and sanctions across its value chain, the report read.

Greater volatility in global policy will also require internal auditors to undertake scenario analysis to understand the financial and operational impacts of different policies on the organisation.

"This evolving risk landscape requires risk management frameworks to move beyond static, retrospective assessments toward more forward‑looking, predictive and agile approaches," the report read.

"Internal Audit functions are expected to anticipate emerging risks, assess resilience to external shocks, and adapt assurance activity in step with rapidly changing external conditions."

The introduction of mandatory ESG and climate disclosure reporting is another external pressure for internal auditors.

"Internal auditors [should] assess readiness for mandatory ESG and climate disclosures and review governance, controls and the data quality supporting ESG reporting."

They would also need to evaluate alignment between ESG risks, strategy and risk management and provide assurance over ESG governance frameworks, it added.

The report said that, with the technology landscape continuing to evolve rapidly due to the widespread adoption of artificial intelligence, this was another important area for internal auditors to monitor.

"AI and emerging technologies are transforming automation, decision‑making and operating models, while also introducing new risks related to governance, data quality, transparency and control effectiveness."

"[Internal auditors should] asses AI governance, ownership and human oversight, and also review controls over data, models and third-party providers."

With cyber threats becoming increasingly sophisticated, the report also recommended that internal auditors assess incident detection, response, and recovery capabilities. Auditors should also test ransomware and cyber incident scenarios to ensure systems are robust.

The criminalisation of wage theft and the introduction of Payday Super, which will require real-time superannuation payments, were another important priority area for internal auditors. These changes would increase the need for more proactive payroll compliance by organisations, the report said.

Internal auditors, it added, should shift from periodic reviews to continuous, risk‑based payroll monitoring and use analytics to detect pay and entitlement anomalies.