What are 6 of the biggest risks for internal auditors in 2018?

As we settle into October, some people around the country are already starting to discuss whether it’s too early to begin making preparations for Christmas and New Year.


In the business world, however, it’s never too early to look ahead to the opportunities and challenges that could appear on the horizon. With that in mind, we thought we’d take a look at the biggest risks that internal auditors expect to face in 2018.


The European Institute of Internal Auditors (EIIA) has published a report on the hot topics professionals will focus on next year. So let’s take a look at some of the biggest risks that the EIIA highlighted.

1/ Cyber security

The WannaCry ransomware virus that attacked hundreds of well-known organisations worldwide earlier this year turned out to be a serious eye-opener for many organisations.


The NHS, FedEx, Deutsche Bahn and Telefonica were just some of the big names that the virus hit, emphasising weaknesses in IT systems that contained considerable amounts of sensitive personal information.


According to EIIA, a persistent gap between awareness and preparedness remains. Citing PwC data, the institute noted that 62 per cent of businesses expect cyber risk to cause disruption within the next three years, yet nearly three-quarters reported low or no cyber maturity.


EIIA claims the five key cyber essentials are:

  • Boundary firewalls and internet gateways;
  • Secure configuration;
  • Access control;
  • Malware protection; and
  • Patch management.

2/ Regulatory complexity and uncertainty

Organisations face a raft of new regulations in 2018, including:

  • The General Data Protection Regulation (GDPR);
  • The second Markets in Financial Instruments Directive, or MiFID II;
  • Two new IFRS Standards;
  • The Payment Services Directive II; and
  • Extended rules for the Senior Managers and Certification Regime.

While compliance divisions shoulder the majority of the risk burden for new regulations, internal auditors will be expected to provide assurance that everything is on track for key deadlines.


Business leaders may also wonder how Brexit negotiations will unfold next year, which is likely to have further repercussions on the regulatory environment.

3/ The GDPR

The GDPR could fit into both the cyber security and the regulatory complexity risk categories, but the EIIA believes the impact will be so significant that it deserves its own section.


Veritas statistics suggest that 31 per cent of decision-makers believe they are compliant with the regulation, but just two per cent appear to actually be ready when quizzed on key aspects.


It’s worth mentioning that these figures are from July this year, and many businesses will have progressed since then. Nevertheless, the disparity between the two figures indicates a lack of understanding of how to comply.


Penalties for non-compliance are severe; organisations may have to pay either four per cent of their revenues or €20 million, whichever is higher. The EIIA said TalkTalk’s estimated £400,000 fine following security failings in 2015 would have cost approximately £59 million under the GDPR.

4/ Keeping pace with innovation

Well-established multinational organisations are struggling to keep up with more agile, tech-driven competitors. This is particularly noticeable in financial services, where FinTech firms are disrupting the natural order of business.


One unnamed chief audit executive at a Spanish multinational banking group said internal audit must have crucial oversight regarding how innovation is handled.


“Everybody wants to create data lakes and use blockchain, but few think about what the correct risk frameworks for those activities are,” the source stated.


“The challenge is [when] you start managing this innovation with old risk management perspectives, because you are going to limit the innovation as it is conceptualised.”

5/ Cultural demands

Big businesses are suffering a reputation crisis, especially financial institutions and energy companies. This has resulted in a refocus on tone and culture at the top of organisations, and how to ensure proactive, positive attitudes are passed down through middle management to the front line.


The Financial Reporting Council (FRC) published a report on corporate culture last year that advised organisations to take a three-pronged approach to the issue:

  1. Connect strategy and purpose to culture: Boards should oversee both the development of strategic and cultural objectives. These goals should not be decided in isolation.
  2. Align values and incentives: Business leaders must ensure recruitment, performance management and incentives schemes reward employees who personify the organisation’s cultural objectives.
  3. Assess and measure: Auditing culture can be difficult due to the subjective nature of certain assessment priorities. Therefore, finding an objective way to measure performance and gain insight is crucial.

6. Workforce planning

Strategic planning of workforce requirements is more important than ever before, as UK businesses undergo a generational shift due to the increasing number of millennials being hired and promoted.


Generation Y, as millennials are often otherwise known, have different attitudes to employment and work-life balances. Flexitime has become increasingly important to them, and a growing trend of contracting and temporary internal positions is evident in recent years.


From an internal audit perspective, professionals must be able to identify HR risks such as poor retention and skills gaps, while also offering assurance that current systems are in alignment with workforce-planning strategies.


Businesses will also need to focus on the technology capabilities of staff, and how competent they need to be in this area for the future.

Are you ready for 2018?

The year ahead clearly poses a number of challenges to internal audit departments in the UK; some are familiar, while others are unique to 2018.


Ensure you have the right professionals in place to prepare your organisation for these pressures. With new regulations looming on the horizon, many businesses should consider their approach sooner rather than later.


Contact a consultant at Barclay Simpson today if you’d like to discuss your internal audit recruitment needs.


Our 2017 Compensation and Market Trends Report combines our review of the prevailing conditions in the internal audit recruitment market together with the results of our latest employer survey.