Chief Audit Executives highlight top risks for internal auditors
A report published by the European Confederation of Institutes of Internal Auditing (ECIIA) highlights the top risks currently faced by organisations.
A new report highlights key business risks identified by Chief Audit Executives (CAEs) from across Europe. The 2020 edition of the report, which is now in its fourth year of preparation, was published in September 2019 and will be of interest for those working in internal audit.
The report “Risk in Focus 2020: Hot topics for internal auditors” is published by the European Confederation of Institutes of Internal Auditing (ECIIA). The ECIIA members include the internal audit institutes of UK and Ireland (the Chartered Institute of Internal Auditors/CIIA), Germany, Belgium, The Netherlands, Spain, Sweden, France, and Italy. The report is described as “an annual barometer of what CAEs perceive as their organisations’ risk priorities and what is preoccupying their thinking as they prepare their forthcoming audit plans.” It makes use of interviews conducted with 46 CAEs from the above institutes and comprises 528 responses. It is valuable as a guide to what CAEs throughout the UK and Europe view as the main types of risks facing their organisations.
The top five risks
The report summarises what CAEs regard as the top five risks to their organisation.
The top risks are ranked as follows:
Ranking | Category of risk | % Response |
|---|---|---|
1st | Data security and cybersecurity | 78 |
2nd | Regulatory change and compliance | 59 |
3rd | Digitisation, disruptive technology | 58 |
4th | Outsourcing, supply chains and third-party risk | 36 |
5th | Business continuity/resilience | 31 |
6th | Financial risks | 30 |
7th | Macroeconomic and political uncertainty | 29 |
8th | Human resources | 27 |
9th | Corporate governance and reporting | 26 |
10th | Communications and reputation | 22 |
11th | Corporate culture | 22 |
12th | Anti-bribery and anti-corruption | 21 |
13th | Financial controls | 15 |
14th | Environment and climate change | 14 |
15th | Health and safety | 13 |
16th | Mergers and acquisitions | 10 |
17th | Other | 10 |
Cybersecurity and data security clearly stand out as being viewed as the single most important risks, with the categories of regulatory change and compliance, and digitisation and disruptive technologies also prominent.
The single largest risk mentioned by CAEs
Also included in the report is the measure of what CAEs feel is the single largest risk currently facing their organisations. These are ranked as follows:
Ranking | Category of risk | % Response |
|---|---|---|
1st | Data security and cybersecurity | 22 |
2nd | Digitisation, disruptive technology | 18 |
3rd | Regulatory change and compliance | 13 |
4th | Macroeconomic and political uncertainty | 8 |
5th | Financial risks | 6 |
6th | Business continuity and resilience | 4 |
7th | Corporate governance and reporting | 4 |
Interestingly, cybersecurity was ranked highly (third) in importance among the top ten priorities within their organisations by finance directors in a survey (Facing up to the Fears) which appeared in the September 2019 edition of The CA Magazine.
Questions for internal audit
The report also gives section-by-section useful information for internal auditors on the following topics:
- Cybersecurity and data privacy: rising expectations of internal audit
- The increasing regulatory burden
- Digitisation and business model disruption
- Looking beyond third parties
- Business resilience, brand value and reputation
- Financial risks: from low returns to rising debt
- Geopolitical instability and the macroeconomy
- Human capital: the organisation of the future
- Governance, ethics and culture: the exemplary organisation
- Climate change: risk vs opportunity.