Stay connected: follow us on LinkedIn and explore more at
www.CherryHillAdvisory.com.
.svg)
.jpg)
Subscribe now to join the Risk Register community:
Most internal audit teams feel reasonably confident about their supply chain risk coverage right now.
You have a third-party risk management processes. You assess critical vendors. You perform periodic supplier reviews. Maybe you even incorporate elements of operational risk and business continuity planning.
But the Iran war and escalating conflict in the Strait of Hormuz are exposing a gap that most internal audit functions have not addressed.
The immediate story about the Iran war is energy price volatility. Oil disruptions get headlines.
What's not getting attention is how this conflict flows through upstream dependencies and into the semiconductor supply chain in ways your current audit scope probably doesn't capture.
This is not just an energy risk. It's a supply chain risk hiding several layers below your vendor lists.
Here's what most organizations don't realize: Qatar produces approximately one-third of the world's helium supply, roughly 66 million cubic meters annually as a byproduct of natural gas extraction, with much of it moving through the Strait of Hormuz.
Helium plays a critical role in semiconductor manufacturing. It's used to cool silicon wafers during the etching process that forms transistor structures. It maintains constant temperature during photolithography. There are no viable substitutes for advanced chip production.
When Iranian attacks halted Qatar's Ras Laffan facility in March 2026, the world's largest LNG export complex that produces helium as a byproduct, the semiconductor industry faced immediate constraints.
South Korea sources 64.7% of its helium from Qatar. That puts Samsung Electronics and SK Hynix, the world's largest memory chip makers, at particular risk as the Iran war disrupts critical supply routes.
Most organizations will not see this risk coming because it does not sit with a direct vendor. It sits several tiers down in the supply chain.
That's exactly where internal audit needs to be looking.
Traditional third-party risk management focuses on vendor due diligence, financial health, and contractual protections.
Those controls are necessary, but they don't capture input-level dependencies or logistics concentration risk.
The Strait of Hormuz carries 20 million barrels of oil per day and 20% of global LNG trade. What most miss is that roughly 84% of helium moving through this chokepoint is destined for Asian semiconductor manufacturing hubs.
When helium supply becomes constrained, semiconductor companies reduce production rates to conserve helium while preserving process integrity. As Rick Freeman, a Resilinc High Tech and Semiconductor expert, explains: "With 30% of the overall supply blocked, semiconductor companies have already made calls to secure alternate supply."
If they can't find it, then manufacturing will slow down and the chips market will become even more constrained.
That creates downstream pressure on technology infrastructure, AI development, and any company dependent on chips, which is nearly everyone.
Here's what makes this particularly challenging for internal audit:
Helium still doesn't get a dedicated line item in supply chain risk assessments.
Despite being more critical and less substitutable than neon, helium represents a quiet single point of failure in semiconductor supply chains.
Your procurement team probably isn't tracking it. Your operations team may not know the dependency exists. Your third-party risk questionnaires almost certainly don't ask about it.
Internal audit teams should be asking:
If those questions are difficult to answer, that's a control gap.
This type of disruption should directly influence how internal audit plans, scopes, and executes supply chain audits.
The Seoul government has flagged helium among 14 semiconductor supply chain materials for monitoring due to heavy vulnerability. Even disruptions affecting just a handful of materials could destabilize the entire semiconductor manufacturing process, as each stage of production depends on the previous one.
Here's where your audit approach needs to evolve:
Move beyond assessing who your vendors are and start identifying what critical inputs could disrupt operations.
This requires visibility into materials, not just suppliers. It's a more advanced form of supply chain risk management many organizations haven't implemented yet.
Your audit function should be connecting these types of industry warnings to organizational exposure before the disruption hits.
Internal audit should be scenario testing how the Iran war and resulting shipping route closures impact operations. The hidden risk lies in specialized inputs like helium moving through the same chokepoint as energy supplies.
Your audit plan should include:
Inventory buffers and alternate suppliers are often assumed to work. Internal audit should validate how long those mitigations actually hold under pressure.
Your audit should test:
Procurement knows vendor relationships. Operations understands production dependencies. IT manages technology infrastructure. Internal audit is uniquely positioned to connect those views into a coherent risk assessment, moving from compliance checking to strategic insight.
The Iran war and Strait of Hormuz situation is a case study in how modern supply chain disruption actually happens.
It's indirect, layered, and often originates in places not captured in traditional risk registers.
The AI infrastructure buildout is creating similar patterns across multiple inputs. Hyperscalers compete aggressively to build capacity. That competition creates sudden demand for specific components. Manufacturers pivot production toward high-margin inputs. Everyone else finds themselves at the back of a very short queue.
This is not a one-time event. It's a structural feature of how supply chains now operate.
Internal audit teams that evolve their approach to include input-level dependency mapping, logistics risk assessment, and geopolitical scenario analysis will be far better positioned to anticipate disruption.
Those that continue to rely on traditional third-party risk management frameworks will likely identify these issues too late.
If you're presenting to your audit committee or board, here are the questions you should be prepared to answer:
Did your internal audit function see this type of risk coming?
Six months ago, a proactive risk identification conversation with procurement and finance could have meant locking in favorable contracts, accelerating hardware refresh cycles before prices moved, or building realistic assumptions into budget planning.
Are your risk monitoring processes picking up external signals like this?
Industry warnings, geopolitical developments, and supply chain shifts should flow into your audit planning process. If they don't, your function may be operating with a significant blind spot.
Are your findings reaching the right people with enough lead time to drive decisions?
Risk identification only matters if it translates into action. Your audit function should have clear channels to escalate emerging risks to decision makers while there's still time to respond.
The value of a high-performing audit function is not just identifying wat went wrong after budgets are blown or operations are disrupted.
It's providing actionable foresight. It's auditing the process of risk identification to ensure the organization connects macro market signals to operational exposure early enough for leadership to act.
The AI revolution is generating a new class of supply chain, procurement, and forecasting risk that most governance frameworks have not caught up to yet.
Closing that gap requires:
This is exactly how audit functions evolve from compliance checkboxes into strategic advisors.
By the time a supply constraint shows up in procurement quotes or production delays, you're already reacting. The opportunity to get ahead of the risk has passed.
Internal audit teams need to be looking several layers down in the supply chain, connecting geopolitical developments to operational dependencies, and raising these risks while there's still time for the organization to respond.
The helium crisis is one example. The pattern will repeat with other critical inputs as technology infrastructure demands continue to grow and geopolitical instability persists.
The question is not whether the next disruption is coming.
It's whether your audit function will see it in time to matter.
Subscribe now to join the Risk Register community:
.jpg)
