External Threats Loom Large
With 2019 planning on the horizon, audit teams are beginning to consider external factors that threaten to disrupt the success of their organization’s key objectives. Gartner’s Malcolm Murray, Rafael Go and Leslee McKnight analyze 11 key risks, connected by four major risk themes, that can help audit teams more effectively identify risks to their organization and their impact on the audit function and their stakeholders.
Ongoing favorable macroeconomic conditions have enabled organizations to continue pursuing growth strategies, adopting technologies such as RPA and cloud, engaging in extended M&A activities and expanding into foreign markets. To provide effective assurance over all these new initiatives, risks that are more strategic and technical in nature are increasingly being included on audit’s radar, expanding its breadth of risk coverage.
Each year, Gartner creates our annual Audit Plan Hot Spots report by combining input from interviews and surveys with over 200 chief audit executives (CAEs) from across our global network of client organizations, as well as extensive secondary literature reviews. This year, we discovered four key trends underlying the risks expressed by CAEs as being critical to guide their audit planning for 2019.
Theme 1: The Strategic Importance of Data
A growing number of organizations are using data as the basis for their business strategy and to improve customer experience. Data is also critical to the implementation of transformative technologies like robotic process automation (RPA) and artificial intelligence (AI). While harnessing data can be a source of competitive advantage, with big data comes big risks in terms of data quality, protection and responsible use. The following risks form a large component of the following hot spots this year:
Most organizational data is riddled with errors, so business decisions are often made using low-quality data. To reduce misguided decision-making and increase data-use efficiencies across the organization, data governance is paramount, yet most organizations lack data governance frameworks or are facing implementation challenges that severely hamper their ability to unlock the big data’s potential.
With the increase in new regulations and public scrutiny of organizations’ mishandling of data, data privacy is a top concern for organizations across the board. Security threats continue to grow —evidenced by the rise in data breaches — exposing organizations to regulatory fines and sanctions, as well as a potential loss of customers due to a lack of trust in organizations’ data protection capabilities.
Ethics and Integrity
As organizations race to implement new technologies, consideration of bias and ethics in digital initiatives often takes a back seat. However, regulators and consumers alike are starting to demand more accountability for ethics and integrity from organizations, forcing them to rethink whether and how they should be leveraging digital capabilities.
Audit can help the organization tackle data-related risks by participating in relevant working committees to provide input as governance frameworks are being built and conducting assurance projects around data usage, access, classification and training.
Theme 2: IT Vulnerabilities
The growing complexity of organizations’ technology infrastructures and increased use of new technologies — such as chatbots and the internet of things (IoT) — expand access points into the organization. Many of these technologies go unmonitored or are slow to be patched. The growing use by threat actors of advanced tools such as AI increases potential attack points and the frequency of attacks. Reliance on IT systems also makes them more susceptible to outages and downtime, which most organizations experienced at least once in the last year. Such outages can cripple productivity, reduce revenue and damage the organization’s brand. To protect the advantages that technology offers, organizations must overcome the following hot spot risk areas:
Cyberattacks are a reality for almost all organizations and result in significant financial loss, reputational damage and potential compliance issues. As threat actors continue to multiply and new technologies broaden the organization’s attack surface, cybersecurity preparedness is critical.
Seeking cost savings and efficiencies, more organizations are moving significant amounts of data and processes to the cloud, including sensitive and highly valuable information. With limited visibility into cloud providers’ activities and a multitude of cloud applications being used throughout the organization, cloud computing poses significant risks, such as data loss, outages and inappropriate data access.
There are several activities audit departments can perform to provide assurance over IT vulnerabilities, including assessing encryption, patch and vendor management and checking IT controls such as policies on privileged user accounts and cloud application security configurations.
Theme 3: Cost and Growth Pressures
Organizations face growing challenges to their business models from disruptive competitors. Consequently, organizations are rapidly undertaking more digital transformation projects, expanding into new sectors and markets and redesigning business strategies to keep pace. However, in seeking cost efficiencies and adopting new growth strategies, organizations need to be wary of weakening the control environment or deprioritizing governance and oversight. In addition, organizations must ensure that they have the workforce needed to meet their changing business objectives and strategies. Dependence on these new business strategies can manifest in the following risks:
As organizations look to maintain competitiveness and relevance in the digital marketplace, they are expanding their reliance on third parties. The interconnectedness of these relationships — as more businesses pursue ecosystem business models and third parties increase their own reliance on partners — amplifies operational and regulatory risk exposure.
Digital Business Transformation
Organizations are undergoing significant digital business transformation. These large undertakings are often executed rapidly, creating significant risk. These risks include reduced governance and oversight, as well as unintended consequences of increased fraud and potential resource waste.
Strategic Workforce Planning
Quick adoption of emerging technologies and automation creates uncertainty in determining the talent needs for achieving business objectives. Similarly, the broader use of data analytics and growing cybersecurity threats increase the demand for more technical talent, which can be hard to find and recruit. Combined, these factors make long-term strategic workforce planning exceedingly difficult.
For these risks, audit should conduct assurance projects focused on vendor and supplier contracts, improve governance of digital and automation projects, perform skills assessments and align the frequency and extent of updates to strategic assumptions.
Theme 4: Shortened Planning Horizons
Uncertainty and volatility have been prevailing features of 2018 and are likely to also be for 2019. The number of disruptions threatening business operations continues to grow, while many important policy questions remain unresolved.
Instability around the globe could precipitate economic decline and increase regulatory fragmentation. Growing scrutiny from both regulators and the public have forced organizations to consider accountability for their actions and rethink certain practices. All of these factors can make it harder for organizations to anticipate what needs to be included in scenario planning exercises, as well as to develop long-term strategies in a seemingly unpredictable environment. From this, the following risks emerge:
The volume and complexity of regulations organizations must comply with are mounting. More regulatory scrutiny in established areas, combined with regulatory uncertainty in new areas, like the digital economy, make it difficult for organizations to form long-term strategies and meet compliance requirements.
The number and scale of both internal and external factors that can disrupt business operations are ever increasing, yet many organizations are ill prepared to maintain critical business operations in the event of a disruption. Changing economic conditions and limited risk awareness can challenge operational resilience, eroding business value and competitiveness as organizations are unable to adapt and respond to changing conditions.
Trade and Tariffs
The global trade system faces the highest level of uncertainty in decades, and imposed and impending tariffs threaten organizations, supply chains and growth strategies. While the current volatility in the geopolitical environment raises uncertainty surrounding trade and tariffs, many organizations have already started feeling the consequences of trade restrictions.
Audit can help the organization mitigate these risks by reviewing the frequency of and inclusions in scenario planning, assessing the organization’s risk awareness and tolerance and evaluating the organization’s mechanisms for monitoring change in the regulatory and economic environment.
Internal Audit’s Challenge
Across 2019, it will be critical for organizations to manage these 11 risks. To do so, audit must provide assurance over perennial as well as new, increasingly dynamic risks, requiring the function to adapt its approach while maintaining its objectivity and independence.