As internal audit teams work on their audit plan for 2019, a new report sheds light on where some of the trouble spots are likely to occur for companies, and where internal audit may want to consider focusing its scrutiny and assurance efforts.
Last week, technology research firm Gartner issued its annual look at “Audit Plan Hot Spots: Risk Areas to Watch.” While the list has a decidedly tech focus, the reasoning behind including each of the risk areas provides some good insight for internal auditors as they continue their risk assessments and look to benchmark audit plan coverage. And, of course, tech risks feature prominently on any company’s risk register these days.
Risks surrounding data and analytics are the primary concerns of chief audit executives (CAEs) for 2019, according to Gartner. Cybersecurity preparedness tops the list, followed closely by data governance and risks from third-party related activities. The list of audit plan hot spots is based on a survey of 144 Gartner CAE clients. The firm says the list identifies the major risks that boards, audit committees, and executives need to prepare for in the coming year.
Pursuit of digital business models to drive growth has increased the amount of data collected and processed by businesses at a time when public and regulatory scrutiny is very high, says Gartner. This has led to heightened risks around data governance, which CAEs plan to watch closely.
Risk ‘Hot Spots’ for 2019:
- Cybersecurity Preparedness
- Data Governance
- Third-Parties
- Data Privacy
- Ethics and Integrity
“Companies face major challenges in applying proper data governance, maximizing the value they get from data, and complying with the fragmented data regulation landscape,” said Malcolm Murray, vice president of audit research at Gartner. “Recent high-profile data breaches and increased public attention have raised the stakes for organizational accountability, and it’s only going to get tougher in 2019.”
Top Data Risks for 2019
The top data and analytics risks that will concern audit executives in 2019:
Data governance: New data privacy regulations such as the EU’s General Data Protection Regulation (GDPR) and high-profile breaches have expanded the compliance, financial, and reputational risks of data usage and protection. Although data-driven business strategies are necessary to increase efficiency and competitiveness, only 37 percent of organizations have formal data governance frameworks in place.
As the complexity and volume of data increases, companies should implement formal data governance frameworks, advises Gartner, to mitigate the risks caused by security threats and privacy issues. Companies can develop a framework by first creating an inventory of data assets across the business and establishing a data classification policy. In addition, they should review data analytics training and talent assessments.
Third parties: As companies increasingly rely on partnerships for digital initiatives, they are expanding their reliance on third parties, as well as fourth and fifth parties, if not even more levels. This amplifies their exposure to operational and regulatory risk. Nearly 70 percent of CAEs report third-party risk as one of their top concerns, but many organizations still struggle to account for and manage it.
To help mitigate this risk, organizations must increase visibility into the operations of third parties and strengthen their focus on third parties’ information security behaviors. Internal audit teams can help by evaluating third-party contracts and compliance efforts, says Gartner, as well as investigating regulatory requirements for third-party data handling.
Data privacy: Although data can confer competitive advantages, recent high-profile security breaches show the negative impact of data privacy failures. In fact, data privacy is a top concern for organizations across the board. Companies such as Yahoo, Facebook, Equifax, Uber, and many more know all too well how devastating such breaches can be to their businesses.
In response to the GDPR enforcement uncertainty, companies must expedite implementation of GDPR mandates—such as transparency, consent, and breach reporting—or risk regulatory fines and other sanctions. Organizations must also take steps to regain customers’ trust, or suffer a potential loss of customers. Gartner has predicted that more than half of companies affected by GDPR will not be in full compliance with it by the end of 2018.
“Data-related risks continue to evolve, and CAEs have a key role to play in helping companies implement clear frameworks and repeatable processes to navigate this ever-changing threat landscape,” said Gartner’s Murray.
Other ‘Hot Spots’
In addition to data and analytics, other risk themes CAEs are watching closely for 2019, says Gartner, include risks stemming from cost and growth pressures and the vastly shortened planning horizon that executives face.
Another, non-tech based risk area that is included on Gartner’s audit plan hot spots list is ethics and integrity, which the firm says is an evolution of last year’s culture hot spot.
“Corporate culture and ethics have made headlines in recent years. These issues become more complex as organizations begin to focus on the social and digital aspects of integrity,” the report states. “Boards and senior management feel increasingly comfortable making public statements reflecting corporate ethics but need to make more progress at actually managing risk. Failure to improve on this front can expose organizations to legal and regulatory risk, reduced productivity, and reputational damage.”
According to the report, 40 percent of CAEs say they definitely plan to include culture in audit activities in the next 12 to 18 months. Still, internal auditors have some improvements to make on conducting such audits. More than a fourth of respondents (27 percent) say they aren’t confident in internal audit’s ability to audit culture, and another 28 percent say they are only somewhat confident.
2018 Audit Plan Hot Spots:
- Data Privacy
- Cloud Vulnerabilities
- Information Security Behaviors
- Corporate Culture
- Fraud
While the technology-related risks identified in the report are certainly important risk areas for companies to watch, there are several other lists and analysis of internal audit concerns that can be used to inform the audit plan. Some of the common themes of these reports are that internal audit remains highly concerned about acquiring the right talent, including data analytics skills; increased regulation; and responding to disruption. Those issues are sure to figure prominently in audit plans for next year.
Technology Confidence Increasing?
Recent studies and reports have also suggested that internal audit has been slow to embrace technology and that it seems to struggle when it comes to auditing sophisticated and emerging technology areas.
That may be starting to change. According the to the Gartner report, 53 percent of the CAEs interviewed said they were “highly confident” in internal audit’s ability to provide assurance over cybersecurity detection and prevention risks. Another 34 percent were “somewhat confident,” and only 13 percent said they were not confident. 
Joseph McCafferty is Editor & Publisher of Internal Audit 360°