On the CAE Agenda: Q1 2022

Discover what IA leaders are discussing with their stakeholders across the core elements of their CAE agendas.

Michael A. Smith

Michael A. Smith

Partner, Advisory, and U.S. Internal Audit Solution Leader, KPMG US

+1 214-840-6019

Richard Knight

Richard Knight

Principal, Advisory, and U.S. IT-Internal Audit Solutions Leader, Technology Risk Management, KPMG US

+1 703-286-8393

The role and focus of internal audit (IA) is ever-evolving. This piece provides quick insights into what IA leaders are currently hearing, considering, doing, and discussing with their stakeholders across the core elements of their CAE agenda.


The agenda

Strategy and value management:

  • IA’s role in emerging topics such as ESG, cyber threats, and disruptive events (transactions, transformations, etc.)
  • Broadening risk coverage as business model and digitization efforts evolve
  • Integration and coordination across three lines of defense (e.g., common risk taxonomy)
  • Getting to the right Key Performance Indicators (KPIs) to measure value for the business

Risks and responses

  • Cybersecurity* (e.g., ransomware incident response*, phishing, hacking, data theft)
  • Business and operational resiliency (e.g., supply chain interruptions*)
  • Third party risk management
  • Workforce* (e.g., contingent workforce, upskilling and reskilling talent, distributed tax implications)
  • Regulatory compliance (e.g., more regulated environment, expanded role for IT)
  • Mergers and acquisitions* (e.g., portfolio management, transformation of the organization)
  • Digital transformation (e.g., ERP, continuous control monitoring)
  • IT resiliency (e.g., data governance, data and asset management, IT talent)
  • ESG initial program assessment*
  • Cloud services and storage (e.g., data security, business continuity)
  • Fraud
  • Culture*

Modern workforce

  • Consideration of IA resources with ESG experience
  • Need for a flexible souring model
  • Better integration of IA IT resources across the organization
  • Need for more specialized or mature capabilities around data analytics and insights
  • Upskilling IT and enterprise technology acumen
  • Overcoming talent drain and resource needs through hiring and retention
  • Overall shift in skillsets needed given shifts in IA delivery model

Digital acceleration

  • Data-driven enterprise risk assessment
  • Focus on automation
  • Continuous monitoring
  • Stronger integration of second and third lines on common GRC technologies
  • Process mining

Stakeholder engagement

  • More SMP expertise in IA especially when working with first and second line
  • Improve IA brand
  • Changing demographic of AC
  • Improving AC chair connectivity
  • Resourcing needs across the organization

Operational model

  • Operating with increased agility, especially during risk assessment and planning
  • Staying close to the business in a virtual environment

Bold indicates emerging risks.