Why Is Internal Audit Still Assessing Risks Like It’s 1999?
September 16, 2021For Internal Audit Credibility Must be Rooted in Objectivity
September 30, 2021We are approaching the time of year again when many internal audit departments around the world initiate their audit planning process for the upcoming calendar year. While I strongly advocate a continuous methodology for assessing risks and a dynamic audit plan that is continuously refreshed, I would be the first to acknowledge that undertaking an annual risk assessment that fosters an initial calendar year audit plan is still the most common approach. For that reason, now is the time when CAEs and their teams are rolling up their sleeves to initiate the process.
This is also the time of year when the first clues begin to emerge about where CAEs see risks and internal audit’s focus for the year ahead. That is one of the reasons why The European Confederation of Institutes of Internal Auditors’ (ECIIA) annual Risk in Focus: Hot Topics for Internal Auditors is so highly anticipated. This week, The ECIIA released the 2022 Risk in Focus report, and it doesn’t disappoint! Having read and analyzed several of the Risk in Focus reports, I believe this is the best one yet.
The 2022 Risk in Focus report is the product of collaboration between 12 IIA bodies in Europe, and is based on surveys of 738 CAEs from across Europe. In addition to the survey results, interviews were simultaneously conducted with 35 CAEs, 12 audit committee chairs, and 3 CEOs from European companies. The insights gained from the research make for a “must read” whitepaper that not only conveys an insightful summary of how COVID-19 has impacted the profession, but also paints a vivid portrait of where the profession finds itself as the world slowly emerges from this extraordinary global experience. To me, the most valuable aspect of the report are the perspectives it provides on where risks and internal audit focus are likely to go over the next three years.
As the report aptly conveys: “Organizations and their internal audit functions face a dizzying pace of change and unprecedented uncertainty. The pandemic has destabilized operations and labor, disrupted supply and demand, and undermined previously sound business models to an extent few would have thought possible.” As the sun begins to set on 2021, the report notes that “many countries are witnessing a resignation crisis, staff shortages and high vacancy rates demonstrating how profoundly the pandemic has exacerbated the talent management risks that existed long before 2020.” Looking ahead, the report projects that “change and uncertainty will define 2022 and the years that follow. Internal audit must understand this change in the outside world, articulate how well it believes the organization is adapting to these pressures and identify how effectively associated risks are being accounted for and managed.”
When looking ahead at 2022, the survey’s respondents provided an early window into 15 risks they believe their organizations will face next year. The top 5 risks in 2022 are projected to be:
- Cybersecurity and data security
- Changes in laws and regulations
- Digital disruption, new technology and AI
- Human capital, diversity and capital management
- Business continuity, crisis management and disasters response
Business continuity, crisis management, and disaster response is new to Top 5 compared to 2021, and “financial, liquidity and insolvency risks” fell out of the Top 5 to 6th place. As is often the case when surveys such as this are conducted, the Top 5 risks are not always the top five areas of focus in internal audit’s plan. The survey found that the Top 5 areas of focus in internal audit’s 2022 plan are likely to be:
- Cybersecurity and data security
- Organizational governance and corporate reporting
- Changes in laws and regulations
- Business continuity, crisis management and disasters response
- Financial, liquidity and insolvency risks
As the report notes (and I often observe), gaps between an organization’s risks and internal audit’s coverage should be approached with a degree of caution. For example, “Digital disruption, new technology and AI” were seen as the 3rd highest risk facing organizations, but the risk came in 9th in internal audit coverage. My fear is that the gap between technology-related risks and audit coverage reflects internal audit expertise in technology-related areas – it being simply easier to audit the areas we know. Such gaps in coverage heighten the risk of a “where were the internal auditors?” moment.
While I found the projections of risks and audit coverage for 2022 to be very valuable, the most fascinating revelations in the report were the projections of where internal audit’s focus is likely to be three years beyond – in 2025:
- Cybersecurity and data security
- Digital disruption, new technology and AI
- Changes in laws and regulations
- Organizational governance and corporate reporting
- Business continuity, crisis management and disasters response
By now, you may be asking: “What about climate change and environmental sustainability?” As I found when I conducted a similar survey of American CAEs earlier this year for AuditBoard, there is widespread acknowledgement of the intermediate and long-term criticality of climate change-related risks, however, it’s often not seen as a “burning platform” worthy of immediate audit-related coverage. The Risk in Focus report does project, however, that technology-related risks and climate-related risks will increasingly be making their way into audit plans in the years ahead. While projections for technology-related risks made the most obvious leap by surging into the Top 5 for 2025, “climate change and environmental sustainability” coverage wasn’t far behind. But as the report notes: “Audit leaders must push for the resources to build highly competent and highly relevant functions that can tackle these shifting assurance needs with confidence. This should be addressed urgently. Waiting until 2025 may be too late.”
The 2022 Risk in Focus report is far too comprehensive for me to summarize it all in this blog. There are extensive and insightful discussions on topics such as:
- IT security: response and recovery
- Rising sustainability regulations
- Supply chain strains
- Workforce fatigue and cultural erosion
- Health and safety amid the continued COVID-19 threat
The only way to truly appreciate the extraordinary insights in this report is to read it cover to cover. I urge all of my readers to put it at the top of your to-do list.
I welcome your thoughts.
I welcome your comments via LinkedIn or Twitter (@rfchambers).