Internal auditors see cyber as top risk

Internal audit leaders cited technology as the main driver of risk to their organizations, especially when it comes to cybersecurity, according to a new survey by the Institute of Internal Auditors.

The survey, released Monday during the IIA's General Audit Management conference in Grapevine, Texas, found that cybersecurity was cited by 78% of the 562 internal audit leaders who responded to the poll as being a high or very high risk to their organization, followed by IT (57%), and third-party relationships (51%), which often include with IT companies. The cluster of technology-related risks across the top three spots was mostly consistent across privately held and publicly traded companies, in the financial and public sectors, as well as not-for-profit organizations.  

"We consistently hear from our members that technology is the No. 1 driver of risk in today's increasingly complex business landscape, across organizations of all shapes and sizes," said IIA president and CEO Anthony Pugliese in a statement. "Modern business is more technology-reliant than at any point in history. Along with the opportunities that accompany rapid growth in artificial intelligence, digital data storage and cryptocurrencies, we see similar growth in risks related to data privacy, cybersecurity and biases in artificial intelligence, to name a few. Internal auditors and organizations around the world recognize that technology is both the single largest driver of both opportunity and risk." 

The past 12 months revealed positive trends for budgets and staffing, with overall budget increases outpacing decreases by more than three to one (38% vs 12%), the highest ratio in the IIA Pulse of Internal Audit survey's 15-year history.  

pugliese-anthony-iia-gam-conference-2022.jpg
Institute of Internal Auditors president and CEO Anthony Pugliese speaking at the IIA’s General Audit Management conference last year in Las Vegas

Internal staffing budgets increased for 45% of audit functions. Professional development budgets grew for 21% of functions, a significant increase compared with 8% last year. Travel budgets rose for 24% of audit functions, compared to only 4% last year, indicating a continued return to on-site visits after the outbreak of the COVID-19 pandemic. 

This year, the survey asked chief audit executives about the frequency of their audits. Nearly 70% of audit functions review high-risk areas such as cybersecurity and IT annually or continuously. Also new this year, CAEs were asked to identify which risks they consider when conducting audit engagements in general. The responses revealed that auditors often take a holistic approach and consider a wide range of issues. Fraud (90%) was the most frequently cited consideration, followed by IT (80%), cybersecurity (66%), and governance and culture (65%). The survey found that 22% of respondents considered sustainability risks, reflecting both the increased importance of environmental issues and their potential for extra scrutiny.  

The IIA has also been overhauling its standards and starting to reexamine its credentials this year, including the Certified Internal Auditor and Internal Audit Practitioner credentials. 

"Our CIA market study is actually looking at do we need to change our credential?" Pugliese said at the conference Monday. "Are we seeing waning interest in the credential by virtue of its design, or its content or anything? What do we need to do to pick the numbers up, because a lot of professional associations are changing their credentials to be either more tech heavy, to be more suited for things like micro credentialing, to be more option driven. You don't have a one size fits all to take a test and get a certain credential. We need to make sure that we are ahead of the curve on all of that. We've launched a study, and we want to gain greater insight into the current market for IAP and CIA credentials around the world. There are lots of nuances to that. We offer the exam in many languages. But we are getting a lot of feedback. We have to evaluate the alignment of the certification program design and features, with not just the needs of people taking the test right now, but with the next generation to come, looking at the learning trends and training trends of people who have not yet become ready to take the CIA exam."

Protiviti survey

Separately, the consulting firm Protiviti released its own survey last week of internal auditors. It found that 43% of chief audit executives and senior internal audit leaders report a lack of access to the talent they need. The findings also reveal that internal audit leaders view the ability to 1) recruit qualified candidates and 2) retain talent as their top priorities for the year ahead. 

"In a tight labor market, the internal audit function has not been spared in the war for talent, especially with heightening expectations of internal audit functions related to innovation, transformation and other hot topics," said Andrew Struthers-Kennedy, global leader of Protiviti's internal audit and financial advisory practice, in a statement. "This talent shortage comes as internal audit is expected to take on a greater role in helping companies navigate choppy waters created by changing risks, emerging regulations and shifts in business priorities. It's vital that audit leaders develop strategies to attract, retain and train qualified people while keeping their foot on the gas when it comes to evolving their function and maximizing their relevance for the future."

The Protiviti survey of 573 executives, including CAEs, audit directors and managers across industries globally, found that the most acute talent shortages occur in high-interest areas of machine learning and AI, with only 31% of CAEs and directors of auditing expressing confidence that they have access to enough people with the necessary talent and skills. A majority of the organizations surveyed believe they lack the necessary talent in assurance, dynamic risk assessment, continuous monitoring and process mining. The rapid, continual pursuit of data and technology abilities, across all industries and organization types, has intensified competition for tech-savvy talent, along with the need to upskill or retrain internal auditors. 

Apart from recruiting, upskilling and retaining talent, 36% of the surveyed CAEs and directors of auditing pointed to the rising cost of wages as a top concern for internal audit organizations today, and 34% cited the challenges of building and maintaining a culture focused on delivering relevance and value amid hybrid and remote working models.

For the survey respondents, training and developing staff was the most-cited strategy for securing talent and skills. There's a disconnect, though, as the organizations reporting the highest levels of next-generation internal audit maturity have pursued alternative strategies to gain access to talent, including co-sourcing arrangements and rotational and guest auditor programs, as a crucial supplement to their hiring and training activities. 

Within many internal audit organizations, the use of co-sourcing is rising in an effort to secure external resources and improve the internal team. That's particularly true for hard-to-find technology skill sets. 

For reprint and licensing requests for this article, click here.
Audit Audit preparation Cyber security Risk management
MORE FROM ACCOUNTING TODAY