The 2020 Pulse of Internal Audit, a report released this week by the Institute of Internal Auditors reveals serious gaps in internal audit’s coverage, with audit plans deficient in key risk areas, including:
- Almost one-third of respondents did not include cybersecurity and information technology in their audit plans.
- More than half did not include governance and culture or third-party relationships.
- Ninety percent did not include sustainability.
To be sure, chief audit executives’ perceptions about risk levels increased dramatically over the past four years in many risk areas. For example, CAEs who rated cyber as a high or very high risk to their organizations jumped from 60 percent to 77 percent during the period. Third-party relationships (35 percent to 51 percent) and IT (39 percent to 59 percent) saw similar sharp increases.
However, audit plan allocations did not reflect a similar urgency, as they evolved gradually. For example, audit plan allocations for cyber increased from 6.3 percent to 7.3 percent; third-party relationships went from 3.3 percent to 3.8 percent; and IT dropped from 9.2 percent to 9 percent.
“One of the most surprising and alarming findings is that nearly one-third (32 percent) of those surveyed do not expect to allocate any internal audit resources to cybersecurity, an ever-present and dynamic risk that consistently rates among those most concerning to boards and executive management,” the report states. “This troubling situation is worse among public sector functions, where more than half (54 percent) report no resource allocation to cybersecurity.”
The 2020 Pulse report, based on input from more than 600 internal audit executives, includes in-depth analysis of key risk and audit plan allocation trends, including breakouts for organization types, which audit leaders and stakeholders can use to benchmark against those of their peers. These side-by-side comparisons show the stark difference between how CAEs view risks and how internal audit resources are allocated. 