What are the critical risks in 2014 and how should audit respond?
As the New Year begins and businesses start implementing their plans for growth, being able to identify new trends in emerging risk areas that threaten to derail enterprise performance over the next 12 months is imperative.
But what are the "top-of-mind" issues that have (or should have) triggered the attention of boards, audit committees, and senior executives? In an effort to shed some light on this issue, CEB synthesises survey data from hundreds of members across industries, in-depth conversations with Chief Audit Executives (CAEs) and trend analysis to highlight the 10 most critical risks, or 'Hot Spots', that confront organisations in 2014 and that Internal Audit functions should be assessing.
The Audit Plan Hot Spots for 2014 addresses a number of well-known risks - cybersecurity and third parties which are especially serious now - and also spotlights a number of inadequacies in companies' control environment such as risk management and crisis response management that may very well create blind spots for companies that could significantly disrupt business objectives. Most importantly, the report also shows how organisations, continue to struggle with the rapidly changing business and regulatory environments.
The top 5 (out of 10) Audit Plan Hot Spots for 2014 are:
1.Compliance Management - this risk reflects the continuing introduction of new regulations across the globe; the stricter enforcement of existing legislation in many jurisdictions; and the challenge, for international organisations, of maintaining a globally coherent corporate policy with a background of differing (but similar) regulation in different territories. Audit responses include reviewing the regulatory tracking process within the organisation and the effectiveness of compliance training.
2.Cybersecurity: Malicious Insiders - CEB research shows that the proportion of incidents caused by insiders has doubled in the last 12 months and that more attention is required to protect information assets from malicious insiders - including employees and also contractors. Contractors often have access to key data, system functionality and own process control responsibilities without always the same commitment to the standards of the organisation. Audit responses include risk assessment of insiders and insider penetration testing.
3.Risk Management - with 87% of CAEs reporting one or more serious risk events in the past 24 months and continuing risk volatility, many stakeholders are focused on improving their ERM. Corporate culture and employee behaviour are rightly being increasingly seen as key components of an effective ERM and many CAEs that we work with are rapidly developing their audit approach to this non-standard risk topic. Audit responses include an audit of ERM effectiveness and an audit of corporate culture.
4.Cybersecurity: Malicious Outsiders - As an example, 78% of large organisations in the UK were attacked by malicious outsiders in 2012 and there is no reason to believe other organisations in other territories will be much different. New regulations - such as in the EU, Australia and U.S. - have also all raised the importance of this risk. Audit responses include external penetration testing and review of the regulatory monitoring process.
5.Emerging Markets - while the rate of growth is slowing in several emerging markets these markets continue to feature in the strategic plans for many organisations. Risks around different culture in these locations and the higher exposure to theft of Intellectual Property are 2 particularly challenging risks reported by many CAEs in our global membership. Audit responses include reviews of known high risk business processes and IP protection.
Being able to respond to these emerging risk areas effectively is critical. By making management more responsive owners of these risks via usable and relevant policies, training and other controls, CAEs and other risk, legal and compliance professionals will be better equipped to help the enterprise secure strong performance with reduced uncertainty and disruption.
Ian Beale is a senior director in CEB's Legal, Risk and Compliance practice, based in London.