Amidst a wide range of challenges in 2020, including a global pandemic and social unrest, cybersecurity and data security risks remain top-of-mind for chief audit executives and audit committee members in Europe, the annual Risk in Focus survey from the Chartered Institute of Internal Auditors (IIA) finds. For the third year in a row, cybersecurity was the most concerning area of risk, with 79 percent of survey respondents citing this issue as a top priority as employees shift to remote work during the COVID-19 pandemic. Because employees are no longer protected by the security features utilized in office environments, phishing attempts and malware infections are on the rise. Slightly more than half of the 579 survey respondents are focused on risks associated with digitization, new technologies, and AI.
“Businesses are operating in extraordinary times and have had to adapt to new challenges this year like never before,” John Wood, chief executive of the Chartered IIA, said in regards to the study’s findings. “Coronavirus has exacerbated existing risks, forcing organizations to think from completely new angles or assign new levels of priority to them. Cybersecurity is a case in point. Though a perennial front-of-mind risk for boards, the rise in remote working means cybersecurity issues have taken on a new dimension and IT infrastructure has had to adapt in record time.”
Companies are also increasingly aware of financial, capital, and liquidity risks as a recession looms, with 42 percent of survey respondents citing this as one of their top five risk concern areas, a 40 percent increase from last year’s survey. “The global coronavirus pandemic is the most significant and far-reaching event for businesses since at least the global financial crisis of 2008, and is expected to cause a deeper recession, higher rates of unemployment, and bigger increases in public debt,” the report’s authors wrote.
Bribery, fraud, and other financial crime, as well as supply chain, outsourcing, and “nth” party risk land on a quarter of CAE’s risk radars, respectively. Regulatory change and compliance are a top concern for 59 percent of survey respondents, while corporate governance and reporting are a concern for 25 percent of respondents. This year’s survey and interview process included audit committee chairs for the first time.
Chartered IIA also added disasters and crisis response as an option in this year’s survey, which was selected as a top five risk priority by a third of CAEs. Climate change and environmental sustainability are also a top concern of 22 percent of respondents, a 50 percent increase from last year’s survey. Despite the increase, Chartered IIA expressed surprise at the lack of attention in this area given demands from investors and customers for urgent action on climate change. More than forty percent of respondents cited this as a significant risk area they will focus on in the future.
The report also highlights a disconnect between the areas of concern versus the amount of time spent auditing each area of risk. For example, corporate governance and reporting was the tenth most cited risk, but it is the third highest on the list of amount of time and effort internal auditors dedicate to risk assessment and management.
Chartered IIA issued a number of recommendations to assist organizations facing these risks. Regarding cybersecurity, the group recommends introducing new IT protocols specific to remote work arrangements, including training employees on how to spot phishing and spear-phishing attempts. Internal auditors can help lead assessments of gaps and inefficiencies within business operations to find cost-saving opportunities.
Elizabeth Mullen is an editorial consultant for Internal Audit 360°.