7 minute read 28 Oct 2020
Internal Audit plan for 2021

How to ensure your Internal Audit plan addresses key risks and controls

By Henrik Lind

EY Nordic Internal Audit Leader, EY Nordic Advanced Manufacturing & Mobility Client Serving Partner

Supporting companies to better understand how weaknesses and threats can be transformed into opportunities and strengths. Advisory Partner.

7 minute read 28 Oct 2020

Internal Audit plan for 2021 – addressing key risks and trends.

In brief: 
  • In an already highly disruptive business environment, COVID-19 has aggravated uncertainty.
  • A strategic, proactive Internal Audit can steer the business clear in this risky landscape. 

We organize frequent webinars and roundtables to drive meaningful discussions on current and future Internal Audit trends. The latest EY webinar “How do you ensure that your Internal Audit plan is addressing key risks and trends?” sought to find answers to three questions:

  • What are the key risks and trends to be considered in the Internal Audit plan for 2021?
  • How are you taking the impact of the ongoing pandemic into consideration?
  • How can you effectively address your company’s key risks in your Internal Audit plan?

Your strategy needs to reflect the current state of the world

The EY Megatrends approach provides an organizing framework that allows you to formulate strategy by looking beyond your traditional sector and legacy competitors, and identify potential threats and opportunities.

For years, the term “disruption” has been used as a term in business plans. Currently, we are experiencing an unprecedented global disruption in modern history. 

While COVID-19 has upended much of the world, the basic framework of the megatrends — the forces driving them and the future working worlds they enable — remain as relevant as ever. The four primary forces at the root of disruption — namely, technology, globalization, demographics and environment —have existed since long. But, as these forces evolve in waves and the interaction between these new waves gives rise to new megatrends.

The immediate impact of the current wave

  • Technology

    Technologies will be critical for bringing human augmentation to mainstream use. In the post-pandemic world, we will most likely see increased R&D and funding as 5G, edge computing, next generation batteries, pre-vision sensors and computing become a necessity.

  • Globalization

    Populism and nationalism are on the rise. That’s fueling protectionism, with the US and China imposing tariffs undermining institutions that are critical foundations of the global order. The pandemic has highlighted economic inequality and taken a disproportionate toll on the poor, which could fuel social unrest and more populism.

  • Demographics

    Gen Z make up 24% of global population. Gen Z's fundamental commonality lies in digital. They are committed to global sustainability, and they will enter or return to the job market in a severe recession post COVID-19. 

  • Environment

    Exponential climate impacts force business leaders to look at climate risk with a new enhanced focus. Exponential climate impacts threaten more than supply chains and physical infrastructure — they endanger growth by exacerbating system-level disruption to customers, investors, employees and communities.

All this puts a lot of pressure and we live under more stress now than before. In these incessantly changing times, think about a few things that you now consider crucial for your organization’s overall success:

  • How do you make sure you don’t miss the next disruptive shift?
  • How do you optimally invest scarce resources in a multi-horizon portfolio, given this uncertainty?
  • How do you invest for long-term disruption, while continuing to win in the short run?
  • How do you solve the now, explore the next and imagine the beyond?

What we have is a continuously changing risk landscape that directly hits our businesses. We asked our participants how frequently their organizations update their risk profile, considering internal and external factors that impact the strategic execution. Almost 50% of the companies have a more frequent risk assessment. 

The changing risk landscape

The risk landscape has changed compared to when EY teams performed the Global Risk Survey in March 2020. The reason behind the changes in risk landscape is a general change in C-suite priorities, which is a result of COVID-19 and the introduction of megatrends. C-suite has shifted focus to business resiliency, customer experience and connectivity, which cover the top risks.

Business resiliency

Close to 71% respondents reported it as a top priority as businesses focus to counter economic downturn using technologies to automate and scale. Adapting to changing environments requires unique project management skills, and a lack of this will have a negative impact on companies’ ability to operate.

Customer experience

This priority includes expanding customer engagement model to online or self-service. Customers are affecting the overall market health due to their changes in demand. The ability to analyze and optimize customer experience is hence important and is a high-risk area for companies.


Seamless connectivity enables organizations to connect, regardless of their location, situation or context. This leaves companies more exposed, which is why the risk of cyberattacks has moved up the ladder. The inability to keep pace with digitalization also automatically becomes a risk when connectivity is important.

The main activities we spotted in crisis management have been around workforce management and securing financials. However, we are now moving into the next phase, where business leaders are focusing on adapting their operations to the new normal and increase resilience. From an EY perspective, we see a lot of these activities — from cost-cutting, reducing carbon footprint, workforce programs to digitalization — already underway.

Compared to our risk assessment in May, we identified some new risks now, such as trade barriers, digitalization and technological speed, investments, new skills, social and environmental responsibilities and control environment. Obviously, we are now focusing to adapt and rebuild our operations.

From the assessment of risk scenarios, we can infer that the market is now over the immediate crisis with renewed focus. We believe that "pandemic reset" of the market will accelerate the next S-curve. Hence, it will be all the more important for Internal Auditors to understand the megatrends and interdependencies of events or risk scenarios. This will help them prioritize resources to better support the business and boards in future, thereby protecting and growing shareholder value.

These turbulent times put a lot of pressure on our businesses

The Internal Auditors are also challenged on how to best contribute with value-driving Internal Audits these days. There are different types of thematic audits that can be executed, either as more consultative projects or as reviews. We have learned that some of the larger industrial companies are now changing their ways of working to better support their organization needs. 

New ways of working and more complex type of audits will require different approaches, competencies, enablers and stakeholder buy-in. 

In our webinar, we asked our participants the top three matters they consider when executing thematic audits. Access to external or internal subject-matter expertise, revised evaluation of risks, and communication with stakeholders were clearly the top three.

Audit planning approach shifts from annual audit planning toward flexible audit planning

We have observed that most of the companies are still providing an annual audit plan, which is reactive to events. The future way of executing the audit planning will be continuous with a flexible audit plan, which is proactive.

This agile and flexible approach will be in tune with the organization’s strategic direction and priorities, and will address the changing business landscape. Internal Audit professionals will be able to apply more judgement in their work and focus their attention on emerging risks and outcomes, not the existence of processes and controls. They will also be able employ a variety of dynamic outputs, on a more real-time basis, and go beyond root-cause analysis to provide best practices, sector trends and relevant benchmarks to meet the needs of stakeholders.

The flexible Internal Audit planning considers current internal and external sources of risks. We asked our webinar participants how the planning process looks like in their organization. Most of the respondents are still executing annual audit planning, but there are several organizations, which have already moved to flexible audit planning. 

Based on our experiences, we recommend you to:

  • Understand the business climate where you operate and business strategy
  • Understand your key stakeholder landscape and expectations on Internal Audit
  • Identify and prioritize your risk profile
  • Prioritize your resources and focus on risks that matter most
  • Decide how your mandate should be defined and how your Internal Audit plan should be executed (fixed vs. dynamic)
  • Understand if your methodology and digital tools are up-to-date and serves its purpose
  • Check that your communication is appropriate in terms of the type of audits and the parties involved
  • Evaluate in which areas you can collaborate with other second-line functions
  • Stay relevant


COVID-­19 has accelerated the global megatrends, forcing organizations to move toward flexible audit planning, earlier than planned. The aim is to shape the Internal Audit practice to meet the future and the post-pandemic world demands. Market conditions, cyberattacks and digitalization are here to stay and bring along new, even more sophisticated risks, to which companies need to respond in order to find long-term success. 

About this article

By Henrik Lind

EY Nordic Internal Audit Leader, EY Nordic Advanced Manufacturing & Mobility Client Serving Partner

Supporting companies to better understand how weaknesses and threats can be transformed into opportunities and strengths. Advisory Partner.