Annually, the Internal Audit Foundation (IAF) provides the Risk in Focus report, which contains insights on risk and trends for internal auditors and their stakeholders.
The IAF surveyed Chief Audit Executives (CAE) and heads of internal audit from March 21, 2024, through May 20, 2024, to identify current and trending risks. A total of 3,544 responses were received globally, including 418 in North America.
The results from the global survey reveal the top three risk areas are cybersecurity, business continuity and human capital. Similarly, the survey in North America notes cybersecurity, human capital and digital disruption (including AI) as the top three risk areas. A common theme between the two surveys is the sentiment that digital disruption and climate change are emerging within the next three years.
Risk Drivers of Emerging Risks
The IAF breaks down risk drivers into two categories: direct and indirect. Direct risk drivers have a strong impact on companies, while indirect risk drivers take longer to influence risk but have the potential to have a strong impact.
The report identifies the three largest direct risk drivers as regulations, financial impact and business opportunity. These drivers are often prioritized in internal audit scope and have more immediate results. For example, the introduction of a new regulation that affects a company will be prioritized in an audit plan, as there are consequences for noncompliance.
The top indirect risk drivers identified are politics, public opinion and social impact. Presidential elections often lead to some uncertainty regarding new or changing regulations. While factors like these will not have an immediate effect on a company, they should still be considered in the long-term strategy. Both types of risk drivers affect a company’s approach to digital disruption and climate change.
Digital Disruption
While digital disruption currently stands as the third highest risk in North America, seventy percent of North American CAEs project that it will continue to be a top risk in the next three years, second only to cybersecurity.
Radical changes to technology have become apparent in the past few years with the development of AI, which comes with huge risks for companies. Despite companies understanding digital transformation controls, generative AI has not yet had the same sufficient consideration regarding governance and controls. The management of AI should be considered alongside policies and procedures as AI continues to evolve in the workspace.
AI is interconnected with several risks, including cybersecurity, fraud and human capital. Cybersecurity hackers can now leverage AI for malicious schemes and attacks, like spreading malicious software across networks or devices to compromise systems more efficiently. Similarly, AI can enhance fraud schemes.
An instance in Hong Kong involved fraudsters utilizing deepfake technology to pose as a company’s CFO, leading to a finance employee being conned into paying $25 million to the fraudster. Staffing, training and recruitment are concerns relating to human capital. Continuing to educate internal auditors in AI governance and controls will be key to filling gaps in staffing.
Climate Change
While climate change has been a hot topic within the industry, it only ranks fourteenth in this year’s top risks. Twenty-seven percent of North American CAEs or heads of internal audit expect climate change to be a top five risk in the next three years, although leaders note that climate risk will remain low until regulations apply to their organizations.
On the Federal level, the U.S. Security and Exchange Commission (SEC) began the implementation of climate disclosures for certain publicly traded companies, although has since halted due to pending litigation.
Additionally, California has passed legislation relating to climate reporting, which will be effective in 2026. Although these laws are not yet fully implemented, there is a reputational risk of greenwashing, the practice of a company misleading consumers by falsely presenting their products, policies or activities as environmentally friendly, and the preparation for when the regulation will be fully implemented.
How Does This Affect the Internal Audit Plan?
The CAEs noted that while the top risks were identified, these do not necessarily dictate the audit plan for the year. For example, despite human capital being identified as a top three risk, it ranks ninth as an audit priority. The top five audit priorities across all industries include cybersecurity, governance/corporate reporting, regulatory change, business continuity and financial liquidity.
Some overall risks include external factors, like geopolitical uncertainty, that internal audit may not be able to take direct action to mitigate but may be incorporated in other areas of the audit plan. For example, geopolitical uncertainty could be included in regulatory change, business continuity and supply chain.
To effectively address identified risks and ensure a comprehensive audit plan, consider the following:
- Develop a short-term and long-term risk assessment to identify both current risks and expected future risks.
- Stay current on new or upcoming regulations that affect your business and any changes to regulations.
- Become educated on opportunities for innovative technology, like AI, but stay cognizant of the risks that come with it. Further, continue to educate employees about the risks of using such technology, including an understanding of acceptable use and ethics.
- Implement continuous monitoring over any emerging risk areas to keep the audit plan dynamic and responsive.
- Communicate with key stakeholders like management and other relevant departments for additional insights on emerging risks in your industry.
The insights from the IAF’s Risk in Focus report highlight the ever-evolving landscape of risks that internal auditors must navigate.
With cybersecurity, human capital and digital disruption at the forefront, and emerging concerns like climate change gaining traction, it is imperative for audit plans to be both comprehensive and adaptable.
By staying informed about new regulations, leveraging technology responsibly and maintaining open communication with stakeholders, internal auditors can effectively address both current and future risks.
This proactive approach not only enhances the audit process but also strengthens the organization’s resilience in an ever-changing environment.
About Schneider Downs Risk Advisory
Our team of experienced risk advisory professionals focus on collaborating with your organization to identify and effectively mitigate risks. Our goal is to understand not only the risks related to potential loss to the organization, but to drive solutions that add value to your organization and advise on opportunities to ensure minimal disruption to your business.
Explore our full Risk Advisory Service offerings or contact the team at [email protected]
