A new survey of the top risks that most concern chief internal auditors finds that cybersecurity and data privacy are among the issues that still cause the most headaches for company officials.
The research, conducted by the Chartered Institute of Internal Auditors and based on responses from more than 300 chief audit executives working at organizations across Europe, finds that cybersecurity ranks as the biggest risk those companies face. The second most concerning risk, according to respondents, was compliance, followed by data security and human resources and people risk.
A full two-thirds (66 percent) of internal audit respondents put cybersecurity in the top five risks their organizations face, while 15 percent ranked it as the top risk. Meanwhile, 58 percent of survey respondents included compliance and data security in the top five, with 13 percent ranking compliance first and another 8 percent saying regulatory change is the top concern. (See the full list of top 10 risks below.)
The research was published as part of the Chartered Institute of Internal Auditors’ latest annual risk report “Risk in Focus.” The report is produced by seven European institutes of internal auditors, covering eight EU countries, and highlights the top risks that should be high on organizational agendas in 2019 and further into the future.
Top 10 Risks
The top risks facing organizations, identified by chief internal auditors, are as follows:
- Cybersecurity: 66%
- Compliance: 58%
- Data security & protection: 58%
- HR & people risk: 42%
- Regulatory change: 37%
- Digitalization: 36%
- Innovation: 28%
- Culture: 25%
- Outsourcing & third party: 24%
- Political uncertainty: 23%
“It is not surprising that organizations are most concerned with cybersecurity, compliance, and data protection in a post-GDPR world,” says Ian Peters, chief executive of the Chartered Institute of Internal Auditors. “Cybersecurity has been a high-priority risk for a number of years and this shows no signs of abating. However, companies are pushing to move away from legacy systems and, as approaches to managing cyber-risk mature, attention is turning to third-party defensibility,” he continued.
“High-profile cyberattacks such as Petya and WannaCry are becoming more and more prevalent and this means that organizations are only as strong as the weakest link in their IT supply chain.” Peters says.
Risk Mitigation Hurdles
According to the Chartered IIA, A major obstacle to mitigating cyber-risk is the piecemeal approach organizations have taken to their IT infrastructure planning and development over past decades. Poor governance and oversight of IT functions has meant businesses have gradually built siloed systems and bolted on parts of their network over a period when cyber risk was low, the Institute noted in its report.
The report concluded: “It is important now that organizations turn to looking at outsourced or third-party supply chains to ensure that they are not vulnerable to cyber-attacks.”
Trade Tension Risks
The report also noted the risks raised by recent trade conflicts and the deterioration of trade agreements between some nations and regions. “Recent protectionism in global trade, in particular tariffs brought by the U.S. administration, represents a risk to organizations’ revenue growth. Boards and audit committees and their internal audit functions may choose to keep a watching brief on these developments,” the report states.
Although the report didn’t directly compare the risks chief audit executives are most concerned about with the issues that internal audit plans to assess during 2019 audits, the reports authors say there is some evidence that there is some misalignment between what respondents says are the top risks and what internal audit it actually focused on. The institute urges CAE’s and audit committees to pay close attention to audit planning processes to ensure that internal audit teams are taking a truly risk-based approach. 