New European IIA Report Offers Internal Auditors an Early Glimpse Into 2023

Each year, internal auditors can draw on a series of reports to augment their perspectives on the risks that are expected to confront their organizations in the months and years ahead. The first of these reports is the annual “Risk in Focus: Hot Topics for Internal Auditors,” compiled annually by the European Confederation of Institutes of Internal Auditors (ECIIA), and it never disappoints! The “2023 Risk in Focus” report was just released and, once again, it’s a must-read resource for internal auditors who are preparing to undertake their annual risk assessment and audit planning process.

While I strongly advocate a methodology for continuously monitoring risks and maintaining and refreshing a dynamic audit plan, I know that undertaking an annual risk assessment that fosters an initial calendar year audit plan is still the most common approach. For that reason, now is the time when CAEs and their teams are rolling up their sleeves to initiate the process for 2023.

The “2023 Risk in Focus” report is a collaboration of 14 IIA bodies in Europe and based on a survey of 834 CAEs from across the continent. In addition to the survey, roundtables were hosted with 39 CAEs and interviews were conducted with nine subject matter experts, including CAEs, audit committee chairs and a range of industry experts. Findings from that research provide valuable insights into how risk-induced disruptive events have impacted organizations. More importantly, the effort provides indications on risks that may lie ahead.

As the report aptly conveys, “Now a state of crisis is the new normality. Climate-related natural disasters, looming recession, an accelerating cost of living catastrophe in Europe, food shortages, employee welfare and skills deficits, and a rapidly industrializing cyberattack landscape are overlaid by intensifying geopolitical tensions and the very real threat of financial liquidity and solvency risks for businesses.”

As the sun begins to set on 2022, the report notes, “Internal auditors need to get a rapid grip on this situation and support their organizations to navigate more risky, uncertain and volatile times ahead. Instead of thinking about what individual risks might arise over the next year or two, chief audit executives need to be thinking over the coming decade. And be thinking big. How would we survive an overnight, permanent supply chain break with China? How would we cope if inflation hit 25% and stayed there, as it did in the 1970s? Are we prepared for the sudden, permanent increase in temperatures in every area in which we operate? Are we in a position to understand and help our clients and staff with the stresses and strains they face over the coming months and years?”

When looking ahead at 2023, the survey’s respondents provided an early window into 15 risks they believe their organizations will face. The top 5 are projected to be:

• Cybersecurity and data security
• Human capital, diversity, and talent management
• Macroeconomic and geopolitical uncertainty
• Changes in laws and regulations
• Digital disruption, new technology and AI

Not surprisingly given the events of 2022, “macroeconomic and geopolitical uncertainty” is new to Top 5 compared with 2022, pushing “business continuity, crisis management and disasters response” down to seventh place. As is often the case when surveys such as these are conducted, the Top 5 risks are not always the top areas of focus in internal audit’s plan. The survey found that the Top 5 areas of focus in internal audit’s 2023 plans are likely to be:

• Cybersecurity and data security
• Organizational governance and corporate reporting
• Changes in laws and regulations
• Financial, liquidity and insolvency risks
• Business continuity, crisis management and disasters response

As I often observe, gaps between an organization’s risks and internal audit’s coverage should be approached with a degree of caution. For example, “human capital, diversity and talent management” was seen as the second-highest risk facing organizations, but it comes in 10th in projected internal audit coverage. My fear is the difference reflects a lack of comfort for internal auditors in tackling non-traditional risks, such as human capital. It’s simply easier to audit the areas we know, but this can lead to potentially disastrous “where were the internal auditors?” moments.

While I found the projections of risks and audit coverage for 2023 to be very valuable, the most fascinating revelations in the report were once again the projections of where internal audit’s focus is likely to be three years beyond – in 2026:

• Cybersecurity and data security
• Digital disruption, new technology and AI
• Business continuity, crisis management and disasters response
• Climate change and environmental sustainability
• Changes in laws and regulations

The most significant change in the three-year outlook from last year’s report is the swift (and long overdue) emergence of “climate change and environmental sustainability” on internal audit’s projected radar. The report offers valuable advice for CAEs on the risks that climate change presents and the role internal audit should play. It includes a call-to-action of seven ways internal auditors can help their organizations in the face of this critical risk.

Given the events of the past few months, it is not surprising that this year’s “Risk in Focus” also deals extensively with geopolitical risks, particularly the ongoing war in Ukraine. As the report notes, “The war in Ukraine took many by surprise, including those with deep commercial interests in the region.” Survey respondents were asked which risks the war in Ukraine had impacted the most in 2022:

• Macroeconomic and geopolitical uncertainty
• Cybersecurity and data security
• Business continuity, crisis management and disasters response
• Supply chain, outsourcing and “nth” party risks
• Financial liquidity and insolvency risks

The 48-page report has a wealth of insight and key takeaways for internal auditors. The only way to truly appreciate it is to read it cover to cover. I urge all of my readers to put it at the top of your to-do list.

I welcome your thoughts.