Adapting Internal Audit in an Era of Geopolitical Volatility

Introduction

The world has entered what the World Economic Forum calls the “age of polycrisis” which is a convergence of economic, environmental, and geopolitical risks that interact and amplify one another. These are not isolated events, but complex, fast-moving, and unpredictable disruptions that pose a significant challenge to traditional internal audit practices. Internal auditors must now navigate a global landscape where war, inflation, climate change, trade fragmentation, and political rivalry directly shape organizational risk.

From globalization to fragmentation.

For years, internal audit frameworks operated under the assumption of global economic cooperation, supporting cross-border expansion and stable supply chains. However, this model has been disrupted by deteriorating international relations, trade wars, and financial restrictions particularly in strategic sectors like technology and commodities. Ongoing conflicts have destabilized energy markets and disrupted global logistics, making geopolitical risks a central concern in corporate risk management, especially as nations compete over critical resources for the clean energy transition.

This geopolitical fragmentation is deeply intertwined with environmental, social and governance (ESG) priorities that both influence and are shaped by international tensions. Climate change contributes to instability through migration, resource scarcity, and unrest, while national climate responses such as carbon border taxes and protectionist energy policies are increasingly driven by geopolitical interests. As net-zero strategies challenge the economic stability of fossil fuel-reliant nations and global climate leadership remains contested, the convergence of ESG concerns and geopolitical volatility presents new, complex risks for organizations pursuing sustainability amid shifting global power dynamics.
 

Internal audit implications

To remain relevant and valuable in this evolving risk landscape, internal audit must evolve from a backward-looking compliance function to a forward-looking strategic partner. Key shifts include:
 

1.    Integrating geopolitical risk into audit planning.

Internal audit teams must embed geopolitical risk assessments into audit planning. 

a)    Geographic risk mapping for supply chain vulnerabilities in electronics manufacturing

Internal audit teams use geopolitical risk mapping tools to assess supply chain vulnerabilities by overlaying supplier locations with political risk indicators. This helps identify over-reliance on suppliers in volatile regions, dependencies on disputed trade routes, and poor diversification across stable jurisdictions. These insights support recommendations for supply chain diversification and improved contingency planning.

b)    Sanctions and regulatory compliance monitoring in global banking operations

Dynamic sanctions screening and regulatory monitoring systems allow audits to assess compliance risks across jurisdictions. These systems detect risks such as links to sanctioned entities, high-risk transactions, changes in beneficial ownership, and weak compliance controls across regions. Real-time monitoring enables timely recommendations for enhanced due diligence and robust compliance frameworks.

c)    Energy price volatility assessment in manufacturing operations

By integrating energy market tools with geopolitical indicators, internal audit can evaluate exposure to energy price shocks. This includes identifying overdependence on unstable suppliers, poor hedging strategies, limited alternative sourcing, and operational sensitivity to cost fluctuations. Audit recommendations focus on improving energy procurement and strengthening risk management.

d)    Cross-border investment risk assessment in multinational corporations

Political risk frameworks help internal audit evaluate foreign investment exposures and planned expansions in unstable regions. Risks identified include political instability, hostile regulations, capital controls, IP protection gaps, and partnerships with high-risk entities. These findings guide recommendations for political risk insurance and better governance structures.

2.    Adopting dynamic risk tools.

Traditional risk matrices are insufficient, and internal audit should leverage on the following:

• Incorporate trend analysis to see how risks have shifted over time, rather than relying on static snapshots
• Use platforms to visualize emerging risks, update controls, and track mitigation efforts continuously
• Collect internal and external signals e.g. social media to detect early warning signs of evolving threats
• Scenario modelling – They also need to simulate future disruptions and evaluate the organization’s resilience.

3.    Evaluating the agility of internal controls.

Modern internal controls must be adaptable, not static hence auditors should assess:

• Whether the controls are designed to flex in the face of external shocks;
• How the internal controls can handle sudden changes in cost, regulation, or political environment; and
• Whether there is real-time monitoring for geopolitical triggers.

4.    Working with the first and second lines of defense

Effective risk management requires collaboration:

• The first line (operations) and second line (risk and compliance) must be equipped to respond to geopolitical changes.
• Internal audit should evaluate how these functions anticipate, detect, and respond to global events.
• Crisis response plans, risk assessments, and business continuity measures should be regularly stress-tested.

In conclusion

Geopolitical volatility is not a temporary disruption; it is the new normal. Internal auditors must sharpen their understanding of external risks, embed forward-looking tools, and challenge the agility of internal controls. In this new era, success will depend on how quickly Internal Audit can adapt to complexity, uncertainty, and global disruption.
  

Caveat

This publication has been prepared by RSM (Eastern Africa) Consulting Ltd, and the views are those of the firm, independent of its directors, employees and associates. This publication is for general guidance, and does not constitute professional advice. Accordingly, RSM (Eastern Africa) Consulting Ltd, its directors, employees, associates and its agents accept no liability for the consequences of anyone acting, or refraining from acting, in reliance on the information contained herein or for any decision based on it. No part of the newsletter may be reproduced or published without prior written consent. RSM (Eastern Africa) Consulting Ltd is a member firm of RSM, a worldwide network of accounting and consulting firms. RSM does not offer professional services in its own name and each member firm of RSM is a legally separate and independent national firm.