The Chartered Institute of Internal Auditors last week dropped their 'Risk in Focus 2020' report. The report compiles the results of interviews with 46 Chief Audit Executives (CAE)'s from across eight European institute of internal auditors. Furthermore, it draws upon the responses from the 528 survey's which the institute received. In a nutshell, the report has some solid contributors, meaning, if its ranked in the top 10 areas which is concerning other CAE's, chances are you should be thinking about it too.
Now, I would be lying if I said I didn't get excited about this report. Firstly, it gives me a guide as to how relevant or risk appropriate our plan is. Whilst not everything in the top 10 is applicable to my own clients, it's nonetheless a guide as to what we should be considering or focusing on. Secondly, its when everyone else starts to bring out their own audit priorities. Shortly, we should see each of the Big 4 drop their own equivalents, and this can be a great asset when conducting annual planning for next year.
From a personal perspective, I didn't find there to be too many surprises with what made it into the top 10. Items such as Cyber Security and Digitalisation are very much expected. As businesses move forward and adopt new technologies, or legacy systems become outdated and unsupported, the need for businesses to keep pace with technology and be ahead of the curve is become increasingly important. This places large risks on the IT teams to maintain a level of service expected by both the business and consumers, but also protect current systems, move to new systems, and ensure there is sufficient security in place to prevent against any cyber threats. The 2020 report, I think, reflects this extremely well, however it would be interesting to see or understand, how much businesses are investing in their IT capabilities, how much this investment has increased over time, and whether businesses believe they are at a standard they would deem as sufficient / appropriate regarding cyber security.
Similarly, I find the increase in regulatory burden and geopolitical instabilities to hardly be a surprise, particularly for Europe. As the report points out, the introduction of GDPR in 2018 was a substantial piece of legislation requiring businesses to undertake large amounts of work to become compliant. There have been a number of fines issued already (British Airways and Marriott Hotels for instance), yet as we should now be well established and adhering to the requirements of the GDPR, it would be fair to assume that the ICO will begin issuing more fines or penalties over the coming years. Aside from GDPR, the Brexit chaos and the new Senior Managers and Certification Regime (SMCR), are just more examples of regulatory burden and Geopolitical instability impacting on businesses.
From a very personal perspective, I found it disappointing that Climate Change now featured at number 10, compared to number four last year. I am a great believer that businesses are not prepared for all the possible impacts of climate change. I have previously prepared a document regarding how businesses can understand what their key climate change risks are. The document can be viewed here. It is my opinion that both climate change and business resilience should be considered together. Whilst the UK may not be experiencing the full effects of climate change locally, abroad Australia is currently experiencing one of the worst droughts on record. The lack of rain (and lack of forecast rain in the foreseeable future), is not only going to cripple farmers and mines specifically, but also the communicates they operate within. As farmers stop producing and mines cut back on production or close altogether, the impact will start to be felt by consumers at supermarkets, and high streets across the country. Businesses need to plan for not only what they can do to remain resilient during climate change and adverse weather, but also how they protect their employees and consumers during such events. Often these things are not dealt with until it is too late, but in saying this, the fact both business resilience and climate change have both ranked within the top 10 is clearly a sign businesses (or at least audit), is moving in the right direction.
My biggest take away from this report however, is ensuring audit functions are equipped with the right teams and resources. Whilst I am a fan of the co-sourced audit functions, whereby specialist skills, typically from the Big 4, are leveraged to support the inhouse audit teams, care should be taken by CAE's to not become dependent or complacent. I believe there is great benefit in embedding audit team members with outsourced members as this helps their understanding and ensures those from external are well aware of the business, how it operates, and its risk tolerance. Failure to work collaboratively, openly and transparently with the co sourced provider can result in significant knowledge gaps throughout the audit process.
Overall, I found the document to be extremely current, relevant, and fit for purpose. The inclusion of the 'Questions for internal audit' is extremely valuable and something that should be leveraged throughout the annual planing processes, or during specific audits.
The full report can be accessed by clicking here or on the report image.