Areas for Internal Audit Focus in 2025

As organisations face evolving operational, technological, and regulatory challenges, Internal Audit functions must adapt their assurance plans to ensure that activities and insights remain of high relevance to Boards and Executives. In this article, we highlight key themes to help Internal Audit teams enhance their capabilities, align with strategic objectives, and use new technologies to improve efficiency and maintain compliance.

These emerging risks areas across technology, regulatory change and operational risk should be considered for their applicability to Internal Audit priorities in 2025.

Below we outline our view on the key Internal Audit themes, the role of Internal Audit functions and potential audit objectives that should be included in Internal Audit plans.

---

Compliance and Regulatory Risk

Organisations must remain agile and ready to adapt to evolving regulatory requirements. Recent high-impact regulatory changes, such as CPS 230, the Security of Critical Infrastructure (SOCI) Act and the Financial Accountability Regime (FAR), underscore the necessity for organisations to assess their readiness to respond effectively.

Internal Audit plays a key role in confirming that compliance frameworks and plans are robust, adaptable, and equipped to handle the risks associated with regulatory changes. Other anticipated regulatory changes, such as Privacy Act updates, will continue to require focus in this space.

Regulatory Change

Organisations must remain agile and ready to adapt to evolving regulatory requirements. Recent high-impact regulatory changes, such as CPS 230, the Security of Critical Infrastructure (SOCI) Act and the Financial Accountability Regime (FAR), underscore the necessity for organisations to assess their readiness to respond effectively.

Internal Audit plays a key role in confirming that compliance frameworks and plans are robust, adaptable, and equipped to handle the risks associated with regulatory changes. Other anticipated regulatory changes, such as Privacy Act updates, will continue to require focus in this space.

Potential Audit Objectives:

• Review processes in place to manage compliance with relevant obligations and to identifying and implement regulatory changes.
• Perform deep-dive compliance reviews covering new obligations relevant to the organisation, such as CPS 230, FAR and SOCI, to verify appropriate compliance with these requirements.
• Evaluate how third-party providers are engaged in supporting the organisations response to regulatory changes and alignment to compliance needs and regulatory obligations.
• Evaluate material service provider arrangements under CPS 230 requirements for APRA regulated entities.

Financial Crime

Financial Crime remains an area of significant attention, with an expansion of the provisions of legislation currently under consideration by the Government. Industries impacted by AML/CTF legislation include Financial Services, Gaming, Payments, and Professional Services.

Internal Audit plays a key role in assessing the extent to which the organisation is compliant with AML/CTF requirements and the extent to which fraud risks have been appropriately considered and addressed.

Potential Audit Objectives:

• Review key AML/CTF processes, including AML/CTF risk assessments, Customer Due Diligence, Transaction Monitoring, SMR/TTR reporting, training, etc.
• Evaluate fraud risk assessments and implemented controls to verify that these adequately mitigate against internal and external fraud.
• Assess the effectiveness of training programs for employees on recognising and reporting financial crime, and their role in preventing financial crime.
• Review the controls in place to manage financial crime risks related to third-party relationships, such as vendors, contractors and business partners.
• For AML/CTF Reporting Entities, perform the periodic independent review of the AML/CTF Program.

Data Governance and Privacy

As public reporting of data breaches becomes more widespread and considering the expanding scope of privacy-related compliance obligations, stakeholders expect robust data governance frameworks that ensure effective management, access control, and accountability in data handling practices.

Internal Audit plays a key role in confirming the design and implementation effectiveness of these controls.

Potential Audit Objectives:

• Assess data governance policies and processes.
• Perform independent scans for PII/SI to verify these are appropriately known and managed.
• Review due diligence processes for third-party data processors, including contractual arrangements for compliance with data protection requirements.
• Evaluate the procedures, tools and safeguards for establishing and maintaining the data security and privacy, aligned to sensitivity and classification. 
• Assess the design and readiness of the data breach response plan, ensuring it aligns with third-party data breach response plans.

---

Strategic and Operational Risk

Artificial Intelligence Governance

The oversight and ethical use of Artificial Intelligence (AI) technologies in organisational decision-making processes is a pressing concern for many businesses today.

Internal Audit plays a key role in assessing the establishment of robust governance frameworks that ensure compliance with ethical standards and regulatory requirements. These frameworks should also mitigate risks associated with bias, transparency, and accountability.

Potential Audit Objectives:

• Assess alignment of the AI strategy, objectives and governance frameworks with standards, relevant laws and regulations, and industry standards.
• Assess the readiness of the organisation for the adoption of the AI strategy or roadmap
• Evaluate processes for developing, testing, and validating AI models.
• Evaluate the governance of AI and Machine Learning dictionaries and language models.

Strategic Projects and Change

Assurance over major transformation projects has become increasingly important as organisations deliver strategic technology and operating model changes and bring new products to market. In addition, the challenge of technical debt arising from outdated systems and infrastructure can lead to reduced agility, system failures and impact customer satisfaction and retention.

Internal Audit plays a key role in verifying that these projects align with long-term business objectives and effectively manage associated risks.

Potential Audit Objectives:

• Provide an independent view on the delivery status of major initiatives.
• Perform reviews relevant to the lifecycle of major initiatives; i.e. governance/management setup reviews stage gate reviews, pre go-live reviews, business implementation reviews, etc.
• Assess the effectiveness of enterprise portfolio management, including investment decisions processes, oversight mechanisms and the management of value realisation.

Environmental, Social and Governance

Government and regulatory bodies are introducing Environmental, Social and Governance (ESG) disclosure requirements in response to growing focus on ESG. This has highlighted the disparity between enterprise risk frameworks and their ability to assess ESG risk and opportunities. Additionally, there are increased expectations on third and fourth parties to provide a clear picture of their Scope 3 emissions performance.

Internal Audit plays a key role assessing completeness and accuracy of processes and data used for ESG reporting.

Potential Audit Objectives:

• Assess the effectiveness of ESG reporting frameworks, including data quality, integrity, security and disclosure practices, to verify compliance with regulatory requirements.
• Assess the extent to which the organisation has adequately considered and captured ESG risks and opportunities.
• Evaluate the effectiveness of the framework in place with third and fourth parties to provide a comprehensive view of ESG risks and emissions performance.

---

Cultural and Human Factors

Risk Culture

Risk culture encompasses the shared values and behaviours that influence an organisation’s approach to risk management. A strong risk culture is crucial for proactive risk management and organisational resilience. Regulators are increasingly expecting that Boards understand and enhance their risk culture.

Internal Audit plays a key role in assessing risk culture frameworks and in providing an independent view of the organisation’s risk culture.

Potential Audit Objectives:

• Perform an independent assessment of Risk Culture, Divisionally or across the Group, aligned to APRA’s Risk Culture dimensions. Though only applicable to APRA regulated entities, these dimensions provide best practice guidance for other organisations to adopt.
• Review the Risk Culture Framework and the extent to which this contributes to tangibly improving the risk culture of the organisation.

Psychosocial Risk

Key to every organisation are its people, whose safety and well-being is a top priority. Under various WHS legislative requirements, organisations have an obligation to protect workers and others from harm. This includes maintaining controls to prevent psychosocial risks from escalating into psychological or physical harm to employees.

Internal Audit plays a key role in verifying that WHS policies and processes are fit for purpose, given the nature of the organisation and its activities.

Potential Audit Objectives:

• Evaluate the adequacy of training and awareness programs to educate employees on identifying, managing and escalating psychosocial risks.
• Assess strategies and measures in promoting a positive work environment and employee satisfaction, focusing on workload, work-life balance, workplace conditions, and available employee support.
• Review the current reporting mechanisms for psychosocial risk management and incident notification to internal and external parties.