Cybersecurity worries continue to top the list of risks currently facing businesses in nine European countries, but climate change is fast becoming a major concern, according to research from the Chartered Institute of Internal Auditors (Chartered IIA)
Its fourth annual report, based on interviews with heads of internal audit in Belgium, France, Germany, Italy, the Netherlands, Spain, Sweden and the UK and Ireland, found that 78% nominated cybersecurity as the biggest risk, followed by regulatory change (59%) and digitalisation (58%).
Cybersecurity and digitalisation have both appeared in the top three risks in the last two years – although this year the number citing cybersecurity as a top five risk has increased by 18%, further consolidating its position as the number one challenge.
While 14% of chief internal auditors said climate change is a key risk now, double the number (28%) said climate change will be a major risk in five years’ time.
The survey highlighted a potential mismatch between the areas identified as having greatest risk, and the areas where internal audit teams expended the greatest effort.
For example, just 15% of respondents saw financial controls as a top risk, yet 51% say this is one of the top five risk areas where internal audit spend the most time and effort.
There is a similar issue regarding corporate governance and reporting (financial and non-financial) which is a top five risk for 26% of the cohort, but double the number (53%) say this is where most time is spent auditing.
The report suggests this indicates that too much time is being spent on these ‘traditional’ audit domains relative to their level of priority.
Conversely, getting on for a third (29%) cite macroeconomic and political uncertainty as a priority risk to their organisation – but only 4% say this is where most audit resources are spent. While 58% see digitalisation as a key risk, only 30% have this as one of their top five risk areas which are audited the most at the moment, and yet 75% of respondents also said digitalisation will be a priority risk in five years’ time.
The report suggests that chief internal auditors should analyse any such gaps and discuss them with the board.
Dr Ian Peters, chief executive of the Chartered IIA, said: ‘Cybersecurity is a problem we regularly see on the news from the theft of 500 million Marriott hotel guests’ personal information, to the security breach which exposed 50 million Facebook user identities. Risk in Focus 2020 includes guidance for businesses to better manage the cyber risks they face.
‘Risk in Focus 2020 also analyses the impact of regulatory change after the introduction of GDPR and new legal frameworks for online payments. This risk is likely to become more severe for UK and Irish businesses, as they face the prospect of further regulatory change because of Brexit.’
The report recommends a number of ways that businesses can increase protection against cyber threats, including assessing how their customer service chatbots and options such as Siri and Alexa are protected against breaches.
It also suggests recruiting an internal or external cybersecurity expert to minimise corporate risks and reviewing the security of cloud services - including ensuring robust systems and processes are in place to prevent misconfigurations.
Peters said: ‘Digitalisation has led to huge technological advances from AI to blockchain. Risk in Focus 2020 contains guidance for businesses about taking advantage of the opportunities that come with digitalisation and support in managing the associated risks.’
Chartered IIA’s Risk in Focus 2020 report is here
By Pat Sweet