As the scale of emerging technology risks facing companies continue to multiply, IT auditors play a key role in identifying these threats and helping their organizations to navigate them. A new survey conducted by Protiviti and The Institute of Internal Auditors (IIA) reveals which risks are keeping IT auditors up at night.
The 11th annual “Global Technology Audit Risks Survey” polled a group of over 550 Chief Audit Executives (CAEs) and IT audit professionals on the technology risks their companies face over near-term (12 month) and medium-term (two to three year) time horizons. The survey revealed a number of key risks that the internal audit function is most concerned about, including:
1) Cybersecurity is the top priority by a wide margin.
Nearly 75 percent of respondents, and an even higher percentage (82 percent) of CAEs and technology audit leaders, consider cybersecurity to be a high-risk area over the next 12 months. To address this risk, leaders and executives need to put mitigation plans into place. With the increased integration of emerging technologies into business functions, organizations anticipate that next-gen cyber threats pose the most significant risks over the next two to three years.
2) AI is an emerging risk with significant gaps in organizational preparedness and internal audit proficiency.
Only 28 percent of respondents indicate the use of AI (including generative AI) and machine learning (ML) as posing significant threats over the next 12 months. However, while AI may not be perceived as an immediate threat, it is rising rapidly on the risk horizon. Specifically, 54 percent of survey participants believe advanced AI systems, including generative AI, present substantial risks in the coming two to three years. As the technology becomes more widely accepted and integrated into business operations, the complexities and uncertainties it introduces will become more pressing. Few organizations believe their level of preparedness or the proficiency of their technology audit group in handling AI and GenAI and ML risks are at acceptable levels.
3) The talent gap in IT is a growing concern.
For companies to address cyber- and AI-related risks, they need to hire talent with a deep understanding of these spaces at a time when such talent and skills are scarce. Companies must focus on hiring the leaders and team members they need as well as retaining and upskilling the existing talent pool. Companies with insufficient talent and intellectual capital in areas like cyber and AI will find themselves exposed when these risks become reality.
Other areas that the audit function identifies as significant threats over the next twelve months include third parties/vendors (60 percent), data privacy and compliance (58 percent), and transformations and system implementations (55 percent).
“When it comes to technology challenges, not only are companies facing a wide range of threats, but each of these threats is changing at an alarming rate,” said Angelo Poulikakos, leader of Protiviti’s Technology Audit and Advisory practice. “Risks related to cyber and AI look radically different than a few years ago, and will surely continue to evolve. Companies that conduct internal audits more frequently and integrate advanced analytical tools and techniques into their audit processes will be more on top of these changes and consequently more prepared when real issues arise. Many organizations are now dealing with the strategic risks of the long-term talent gap, which is why we’re seeing more CAEs and auditors recognize this challenge.”
“IT auditors play a critical role in helping their companies see around corners when it comes to technology risks across the enterprise,” said Brad J. Monterio, EVP of member competency and learning at the IIA. “This survey offers valuable insights to CAEs and their teams on where they may need to concentrate their efforts in the coming years as they shape their audit plans. It also helps identify the areas where organizations should consider strategically investing in talent to bolster their risk preparedness.”
This report is based on a survey, fielded from June through July of 2023, of 559 chief audit executives (CAEs) and IT audit professionals, representing a wide range of industries globally.