Top 5 key risks for internal auditors in 2020

Predicting the future is always difficult. In 2015, few polls anticipated a Conservative majority in that year’s general election. Just a year later, Remain was the overwhelming favourite in EU Referendum betting lines. And possibly the most unexpected result of the last five years? Arguably Leicester City overcoming 5,000-1 odds to win the Premier League …

The primary role of internal auditors has always been to provide assurance that an organisation’s risk management, compliance and other governance functions are fit for purpose. This has traditionally been a retrospective activity, but research shows executives now expect more from their auditors. Organisations want departments to leverage the latest predictive analytics and take advantage of their impartial, bird’s-eye view of different departments to forecast and protect against potential dangers.

But what risks lie ahead for internal auditors in 2020? Every year, the European Confederation of Institutes of Internal Auditing (ECIIA) and the Chartered Institute of Internal Auditors (IIA) produce a comprehensive Risk In Focus report for the industry.

Based on their findings, here are the top five risks highlighted for next year: 

1. Cyber security and data privacy 

Cyber security and related risks have dominated the ECIIA and IIA report for the last three years, albeit with slightly different focuses. In 2018, GDPR was the main concern, as organisations geared up for the May 25th implementation deadline. This year, IT governance and third-party suppliers were predicted to be the hot topics.

Looking ahead to 2020, 78% of chief audit executives (CAEs) felt cyber security is a top-five risk to their organisation. This is notably higher than the two-thirds of respondents who said the same last year and nearly 20 percentage points more than 2020’s second biggest concern – regulatory change and compliance.

Various cyber security incidents have kept the topic at the forefront of CAE minds as we close out 2019. Stories that stole the headlines last year included the Spectre and Meltdown vulnerabilities that affected almost all Intel processing chips, as well as the exposure of 50 million Facebook users’ personal information. More recently, the ICO’s intention to issue hundreds of millions of pounds worth of GDPR fines will also likely have spooked CAEs.

According to the ECIIA and the IIA, the key cyber security questions that audit departments should be asking themselves are:

  • Is there evidence we have the basics covered? This includes malware detection, software updates, staff awareness and access rights. 
  • Are we prepared for the evolving nature of cyber risks to our organisation, given the fast pace of digitalisation?
  • Is our IT security team staying up to date with evolving information security threats?
  • Do we need more internal audit staff to bolster our defences?
  • How compliant are we with GDPR? Has progress been made in the last year?

The ECIIA and the IIA also “strongly advise” departments to equip themselves with the necessary technical resources. This can be achieved either by calling in expert interim staff or recruiting a technical security specialist who can subsequently be trained to audit.

“Given the demand for such skills, hiring talent will be costly and this best-practice approach may not be feasible for smaller internal audit functions with limited funding,” the report reads.

“Nonetheless, the value of developing in-house information security audit resources should be clearly communicated to the board/audit committee.”

2. Regulatory change and compliance 

European regulation underwent massive overhauls in 2018. Among the banner highlights were the introduction of GDPR, MiFID II and PSD2. While it may have been a big year for regulatory change, the burden on organisations has been steadily increasing for more than a decade now. Thomson Reuters figures estimate there were 8,704 financial regulatory publications, changes and announcements in 2008. This figure had climbed to 56,321 by 2017.

Enforcement efforts also had a bumper year in 2018. AML fines in Europe reached a record amount, with major penalties hitting firms such as ING and Standard Chartered (SC). In fact, a £102 million penalty levied against SC was just a fraction of a wider case that saw the firm pay US regulators nearly $950 million for poor counter-terrorism finance controls.

Perhaps unsurprisingly, then, 59% of CAEs placed regulatory change and compliance as a top-five risk for 2020, while 13% chose these issues as their single biggest concern. The key questions auditors must tackle heading into 2020 include:

  • Are we taking a forward-thinking approach to regulatory changes that affect our industry?
  • Have we learned lessons from previous regulatory breaches?
  • Are our first- and second-line defence efforts well co-ordinated and able to comply with the necessary regulations?
  • Can we maintain our independence in situations where we provide compliance assurance in the third line of defence?
  • Is the extraterritorial nature of regulations creating more risk for our organisation?

Again, meeting these requirements requires having sufficient resources, but are businesses investing enough in their internal audit teams to combat regulatory change? At least one CAE respondent in the ECIIA and IIA report doesn’t think so.

“If we look at the number of hours we allocate for mandatory regulatory and compliance audits, it amounts to about 20% of the total number of hours and it is increasing every year. But our resources are not increasing in line with that. That’s a real challenge,” the executive explained.

3. Digitalisation and business model disruption

The role of auditors as businesses embark on digital transformation is a topic we’ve discussed in depth on the blog before. Suffice to say, digital disruption is a significant risk factor for many organisations across multiple industries.

Disruptors are typically start-ups or well-resourced big tech firms that are able to capitalise on a particular market niche. Established incumbents may overlook these consumers, which may not be a problem at first, but disruptors will typically scale up and begin encroaching on other customer bases, offering better and often cheaper services.

CAEs therefore consider digitalisation and business model disruption a significant risk factor to their operation, with 59% claiming it’s a top-five risk. Digitalisation is also a much broader-based concern – 18% of respondents said it was their number one worry, which was notably higher than for regulatory change and compliance (13%).

Interestingly, however, CAEs may be neglecting digitalisation and business disruption in terms of their audit plans. Only 30% of respondents claimed this was a top-five area where they spent most of their time and effort, whereas more than 60% listed regulatory change and compliance in their top five.

The ECIIA and IIA report provides some insight into the types of digitalisation issues CAEs should be recognising:

  • How well informed are senior management about the potential disruptors for the business and its industry?
  • Is our business model likely to still be viable in five to ten years? If not, what is being done to protect the firm’s future?
  • Do we have the capacity and capabilities to innovate?
  • Are our efforts to digitalise and keep pace with competitors having an effect on our internal control environment?
  • How can we improve our technology implementation to prioritise a risk-control mindset? 

Looking even further ahead, 75% of CAEs believe digitalisation and business model disruption will be a top-five risk in 2024. Specifically, the rise of AI, blockchain and other emerging technologies is expected to revolutionise numerous industries.

4. Nth party and supply chain risk

Third-party supplier risk is often a key consideration for corporate governance departments. But heightened regulatory scrutiny means organisations may now have to look even beyond the direct contracts they hold with vendors and examine the subcontractors and supply chains supporting these firms.

This is especially important within the IT infrastructure and data assets realms, where far-reaching regulatory expectations place pressure on businesses to understand much more about how their information is handled and managed.

Outsourcing, supply chains and third-party risk were cited by 36% of respondents as a top-five concern, although very few considered it their main priority (3%). That said, nth party risk is being taken seriously, with 41% of CAEs saying it’s one of the top five areas where they spend their most time and resources.

“Internal audit can add value by taking an inventory of core processes and functions that are outsourced and reviewing the governance around procurement and contract management,” the ECIIA and IIA recommended.

The key questions for internal audit include:

  • Do we regularly review the appropriateness of our outsourcing programme?
  • Can our auditors gain physical access to third party sites if required?
  • Are audit rights included in our contracts? Can we physically access third-party sites if required?
  • Do we know our nth party exposure and what processes are handled by these organisations? Have we been recording an appropriate inventory of these exposures?
  • Are our suppliers complying with GDPR and other data security requirements?

5. Business continuity and brand reputation

Various high-profile incidents have occurred in recent years that emphasise the importance of strong business continuity plans and appropriate reputational damage limitation measures.

For example, many airlines and airplane manufacturers have been in the headlines for all the wrong reasons. In 2017, United Airlines came under fire when a passenger was forcibly removed from a flight when he refused to give up his seat due to overbooking. The airline’s PR handling of the incident was severely criticised, leading to widespread changes to booking and compensation processes.

Meanwhile, British Airways suffered another IT glitch in August, affecting tens of thousands of customers. The incident followed a cyber-hack in 2018 that is likely to see the airline face a significant GDPR fine, while a May bank holiday systems failure the previous year had cost the firm almost £80 million.

These are just a few examples of companies that have suffered PR disasters, and the reputational damage that follows such incidents can have a massive impact on revenues, shareholder confidence and share prices. As such, 31% of CAEs selected business continuity, brand value and reputation as a top-five risk to their organisation, although just 4% picked it as their primary concern.

“There is a genuine value-add role for internal audit to play in assessing what efforts are being made by the business to understand how it is perceived by stakeholders and the general public, and what steps are being taken to build trust and brand value to help the company better withstand the shock of future incidents,” the ECIIA and IIA advise.

How can auditors best tackle these issues? By asking themselves these questions:

  • Are we aware of the main continuity risks to our organisation? Have these risks been codified?
  • Do we have a comprehensive business continuity plan in place and has it been tested?
  • Who is accountable when business continuity is hindered? Are these individuals aware of their responsibilities?
  • What is our PR and communications damage-limitation policy?
  • How sophisticated is our understanding of our reputation and the impact this has on brand value?

Preparing internal audit teams for 2020

These were the top five risks for internal audit departments next year, but they are by no means the only problems that could be on the horizon. The top ten also included financial risks; geopolitical instability and the macro-economy; human capital; governance, ethics and culture; and climate change.

If you want a full rundown of the list and insights into each risk, the ECIIA and IIA report is available here.

One of the key themes running through the report is the need for organisations to ensure they have sufficient resources in place to tackle the threats posed by an ever-evolving threat landscape. This includes upskilling current employees and investing in new staff. Our research shows nearly half (48%) of audit departments feel inadequately resourced to handle the demands currently placed upon them, while 70% of employers intended to recruit into their audit teams this year.

With expectations on internal auditors reaching new heights, companies often find it difficult to attract and retain the right candidates for the challenges they face. Technology and cyber skills are particularly in demand. If you wish to discuss your internal audit recruitment needs, please contact me today on 020 7936 2601 or via email at dh@barclaysimpson.com.

Our combines our review of the prevailing conditions in the internal audit recruitment market with the results of our latest employer and candidate surveys.

Image credit: Taweesak_ via Pixabay