Key Risk Themes for Internal Audit in 2017

4 Areas Impacting the Entire Organization

Audit experts from CEB present the findings of the company’s annual Audit Plan Hot Spots report, which is based on interviews and surveys with more than 150 Chief Audit Executives.  This article outlines the major risks CAEs plan to track closely this year – both expected risks and new and surprising themes.

with co-author Barton Edgerton

For more than a decade, CEB has tracked the risks Chief Audit Executives (CAEs) watch closely. By interviewing and surveying CAEs at some of the world’s largest and most complex organizations, we’ve seen the way organizational risks have shifted over time.

Few risks are “easy” to manage. But while key risks in the past, such as financial misstatements, could often be addressed individually and largely managed through individual controls, today’s risks are multifaceted and interconnected. In fact, the risks CAEs are including on their audit plans in 2017 cover four broad themes that affect the entire organization. They have interdependencies between them and can only be addressed through coordinated remediation efforts. They include “diseconomies” of scale, digitization and the rapid proliferation of technology, volatility in the macro environment and heightened public scrutiny.

“Diseconomies” of Scale

Organizations today are larger than they were in the past, and although size brings organizations economies of scale, it also leads to greater complexity and an increased cost of coordinating activities. These so-called “diseconomies of scale,” or hidden costs of size, are often seen only by functions with a central viewpoint, such as audit. This year, they contribute to three risks CAEs are tracking: third-party relationships, strategic decision-making and execution and change fatigue.

Third-party relationships are a perennial risk, but one that continues to grow in importance. Third-party access to sensitive data and the lack of visibility into layers of third parties, often including a dense thicket of fourth and fifth parties, are key factors driving this risk as one to watch this year.

Size and complexity also make it more difficult to assimilate the right information for quick and effective strategic decision-making and execution. Core business activities, such as recruitment and procurement, now take on average 20 to 40 percent longer than five years ago. At the same time, large organizations change constantly. CEB found that the number of change events the average employee experiences toady has increased more than 70 percent since 2011. Executives expect this pace will only escalate, especially with high levels of M&A. This heightens the risk of employee change fatigue, which can lead to a 5 percent drop in productivity.

Given the fact that these risks aren’t often on management’s radar, audit should be sure to highlight them for senior leadership. From there, they should ensure the organization works toward establishing frameworks for third-party risk management and organizational effectiveness. Most organizations have plenty of room to improve – for instance, only 20 percent currently have an established or world-class third-party governance framework.

Digitization and the Rapid Proliferation of Technology

Every company is now a technology company, and the pace of technological innovation continues to increase. These technologies create opportunities for brand new industries like autonomous cars and augmented reality, but they also create risks for companies. Yet despite increasing awareness of cybersecurity and data risks, organizations are still underprepared to deal with new technologies – only half of data privacy functions say that their organizations are managing their data properly. Digitization and technology proliferation has led to a rise in external cybersecurity threats, internal cybersecurity vulnerabilities and risks related to the pace of innovation.

Our research shows that in addition to facing increasingly complex external cyberthreats, organizations are unknowingly making themselves more vulnerable. For instance, agile project management principles, now used pervasively, have less of a built-in focus on security than traditionally managed projects. Furthermore, organizations may open new internal cybersecurity vulnerabilities when connecting technology assets to the internet and to corporate IT systems.

Finally, large organizations have difficulty increasing their pace of innovation to capture the upside of digitization. Their efforts are often slowed by increased risk aversion resulting from years of cost-cutting – in fact, 77 percent of finance executives say there is currently more risk aversion in project funding.

To address these risks, Audit should keep the board adequately informed of new types of cyberthreats, review organizations’ IT governance frameworks and help map out organizationwide innovation efforts.

Volatility in the Macro Environment

The macro environment – the complex mix of political, social and economic forces in which firms operate – is facing seemingly unprecedented volatility. This volatility contributes to the risks of political uncertainty, strategic workforce planning and budgeting and forecasting.

Over the past year, political risk has spread from developing markets to developed markets. CAEs are now having to ask themselves how to incorporate a political dimension to audit planning and engagements. A variety of macro shifts also impact workforce planning. These include things like migration and immigration issues, automation and robotics and generational changes – areas where assurance functions have not historically focused, but where they are now forced to assess risk and controls.

Finally, macro volatility in global financial markets can disrupt planning efforts, and budgeting and forecasting often suffer. Organizations can experience swings in earnings of 2 percent from FX volatility and stand to lose 20 percent of their growth potential due to inefficient budgeting processes.

Audit can help organizations mitigate these risks by highlighting elements of political risk to management during audit engagements, partnering with HR to evaluate the impact of demographic shifts on strategic plans and reviewing the effectiveness of financial planning processes.

Heightened Public Scrutiny

The fourth risk theme for 2017 is both a force in its own right and a consequence of the three earlier themes. The increase in company size and complexity, rise of digital technology and macroeconomic shifts mean that organizations are facing an unprecedented amount of scrutiny from the public, be it regulators, consumers or bodies such as the OECD.

The risks under the heightened public scrutiny theme – data privacy, international tax planning and organizational sustainability – neatly demonstrate the wide range of demands on global organizations. As regulations come into place, audit departments often have to scramble to check their organizations’ readiness for everything from international frameworks such as the OECD’s BEPS (for international tax planning) and the EU’s upcoming General Data Protection Regulation (for data privacy) to demands from shareholders for sustainable practices in supply chains.

Given its position in the company, audit should take a bigger role in proactively ensuring sufficient planning for upcoming regulatory changes takes place across departments and that emerging issues among stakeholders are pre-emptively addressed.

The Challenge and Opportunity for Internal Audit

These wide-ranging risks vastly increase the difficulty for CAEs to provide comprehensive assurance to the board. At the same time, they present a great opportunity for audit to leverage its unique holistic view of the organization and long history of evidence-based guidance to spot risks earlier and find systemic risk trends that help fulfill their mandate.