Navigating the rocky road ahead

The European Confederation of Institutes of Internal Auditors (ECIIA) has released its annual Risk in Focus report, highlighting how internal auditors view the risk landscape as they prepare audit plans for 2023.  

The ECIIA has published its Risk in Focus report for the past seven years. This year’s publication, a collaboration between 14 institutes of internal auditors, draws on data collected during March and April 2022 from Chief Audit Executives (CAEs) from Austria, Belgium, Bulgaria, France, Germany, Greece, Ireland, Italy, Luxembourg, the Netherlands, Slovenia, Span, Sweden, Switzerland, and the UK. A total of 834 responses were gathered, while data also came from four roundtable discussions with 39 CAEs and an additional nine one-to-one interviews with experts who could provide deeper insight into the risks facing audit professionals.  

Key risks

Many of the key risks identified by the report echo the views of those who attended the recent CQI Audit SIG conference on the future of auditing, held in London in late September.  

The Audit SIG’s Chairman, William Rankin CQP FCQI, says: "The modern auditor should be well versed in the risks surrounding the profession and the wider business landscape, and the recent Audit SIG conference brought these risks to life across different perspectives and boundaries.  

“It is important for auditors to understand what risks create opportunities and what risks create threats and building our audit plans around those, in alignment to business strategies. With the digital transformation here today, our audit programmes need to adapt to continue to be that trusted tool that business leaders rely upon.” 

Five key areas of concern are identified by the Risk in Focus 2023 report, namely: 

• geopolitical uncertainty; 
• climate change; 
• organisational culture; 
• cyber and data risk; 
• digitalisation and artificial intelligence. 

Of the top-10 risks named by those who took part in the research, 82% of CAEs ranked cybersecurity and data security as a top-five risk. In addition, internal auditors said they spent ‘most of their time and effort working on this area’.  

This was followed by human capital, diversity and talent management, with half of respondents ranking it as a top-five issue. This also echoes the findings of the CQI’s Workforce Insight research, in which recruitment to the quality profession was flagged as a significant issue, while 20% of those surveyed expected to continue their career outside of the quality profession.  

“It is important for auditors to understand what risks create opportunities and what risks create threats, and building our audit plans around those, in alignment to business strategies.”

William Rankin CQP FCQI, Audit SIG’s Chairman.

Unsurprisingly, given the war in Ukraine and its significant impact on the economy and security, geopolitical and macroeconomic uncertainty is also a key concern for CAEs, with 45% ranking this as a top-five concern. This occupied third place in the top 10 risks, up from seventh place last year.  

This was also echoed in the risk ranked eighth of 10, supply chain, outsourcing and ‘nth’ party risk, with 35% of CAEs marking it a top-five risk.  

The top-five risks were rounded out by number 4, change in laws and regulations, which was highlighted by 44% of those surveyed, and number 5, digital disruption, new technology and AI (38%) – topics tackled this year by the CQI in Quality World magazine features.  

How internal auditors can help

So how can auditors use this report to support their work? Risk In Focus 2023 offers a number of recommendations for how the boards of organisations can work with their internal auditors to tackle the key risks highlighted.  

One suggestion is that they should work with their internal auditors to assess what mechanisms are in place to ensure that any new information on cyber threats and countermeasures can be quickly spread throughout a business.  

Internal auditors are also well placed to work to ensure that the human resources strategies of an organisation are suitable for attracting and retaining staff, as well as being aligned with the company’s vision and mission.  

Another key recommendation is that boards should work with their internal auditors to assess whether the nature of key risk areas identified by an organisation are still valid for circumstances that may arise during 2023; what vulnerabilities systemic risks may create; and whether risk assessment and risk management will give the board a clear oversight of such dangers.  

Climate change and environmental sustainability was ranked a key risk by 37% of CAEs, a number expected to grow even further in the next three years. The Risk in Focus 2023 report recommends that boards should work with their internal auditors to better understand the company’s goals and action plans in this area.  

No-one can deny that the current landscape is challenging for everyone, but, as this report underlines, auditors are well placed to help their organisations navigate the rocky road ahead.