What key risks do internal auditors face in 2019?

Most internal audit departments are probably well underway with their annual audit plans for 2019. But there’s still plenty of time to make adjustments for next year if new risks are identified in the coming months.
Last year, we explored the biggest issues that internal auditors expected to face in 2018 based on the European Institutes of Internal Auditors (EIIA) annual Risk in Focus Report.
Well, it’s that time of year again, so let’s see what changes have occurred in the internal audit landscape over the last 12 months. Here are five major risks that professionals are currently concerned about:

1. Cyber security

Two-thirds of chief audit executives (CAEs) cited cyber security as a top-five risk to their organisation, meaning it clinched the top spot for the second year in a row. Overall, 15 per cent of respondents claimed cyber was their biggest worry.


A common problem is the siloed nature of many IT environments. Organisations have usually built up disparate systems independently over the years, creating significant gaps in security and difficulties with oversight.


Auditors will need to provide assurance that third-party providers, such as cloud services companies, have adequate standards and controls in place. After all, Microsoft reported attacks on its cloud services quadrupled in 2017.

2. Compliance

Regulatory compliance is often a priority for internal auditors, and this year is no exception. Fifty-eight per cent of CAEs said compliance was a top-five risk, while 13 per cent ranked it first.


Anti-bribery and anti-corruption (ABC) compliance emerged as a hot topic for 2019, as globally co-ordinated enforcement efforts and record-breaking fines begin to take effect.


In 2016, Brazilian engineering and construction company Oderbrecht agreed to pay $3.5 billion (£2.67 billion) in fines after being accused of spending billions of dollars on bribes worldwide. The penalty was later reduced to $2.6 billion, but regulators appear to be upping the stakes when it comes to ABC.

3. Data security and protection

It’s hardly a surprise that data security and protection is a top-five risk for internal auditors in 2019, given the introduction of GDPR earlier this year. The implementation deadline may have passed, allowing compliance teams to breathe a sigh of relief for now. However, internal audit departments will now be tasked with assessing how well businesses have complied with the regulation so far.


TrustArc figures show that just 27 per cent of EU organisations said they were fully compliant with GDPR one month after the enforcement date had passed. Less than three-quarters (75 per cent) expect to be compliant by the end of 2018.

4. HR and people risk

Nearly a year has passed since the Harvey Weinstein scandal, but the #MeToo movement and issues of diversity in the workplace remain headline news worldwide.


Auditors identified company culture as a major risk in last year’s EIIA report, although the main focus was on the tone at the top and ensuring positive attitudes were effectively passed down from middle management to the front line. This year, discrimination, staff inequality and diversity are dominating audit plans.


Key questions that internal auditors should address include:

  • Are senior managers taking the fair treatment of women and other marginalised groups seriously?
  • Is there an appropriate tone at the top regarding sexual harassment?
  • Does the company have clear anti-harassment policies?
  • Is the organisation required to report on gender pay gaps?

5. Regulatory change

In 2017, regulatory uncertainty was the second biggest risk CAEs felt they would face this year. This was largely due to the impending introduction of key legislative reforms such as GDPR, MiFID II and the Payment Services Directive II.


Next year is quieter on the regulatory front, which is reflected in a noticeable drop in this risk down the list of priorities for internal auditors. Nevertheless, 8 per cent of respondents still cited regulatory change as their primary concern in 2019.


Trade sanctions and protectionism are among the major regulatory risks that are keeping CAEs awake at night, particularly as relations between the US and China are deteriorating and the possibility of a hard Brexit increases.

Rising to the challenges of 2019

Cyber security remains the top concern for the second year in a row, but a number of new challenges appear to be troubling auditors as we approach the final quarter of 2018.


Does your business have the right mix of skills and experience to cope with the risks currently on the horizon? If not, now may be the time to consider strengthening your internal audit teams.


To discuss your corporate governance recruitment needs, please contact Barclay Simpson on 020 7936 2601. Alternatively, you can email me directly at rb@barclaysimpson.com.


Our Market Reports combine our review of the prevailing conditions in the internal audit recruitment market with the results of our latest employer survey.

Image credit: Coloures-Pic via Adobe Stock