RISK IN FOCUS Hot topics for internal auditors - IIA Switzerland
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
2022 RISK IN
FOCUS
Hot topics
for internal
auditors
Read more
PAGE 2 OF 42 CONTENTS 3 Introduction: auditing amid rapid change 5 Methodology 6 Data breakdown: the survey results 13 IT security: response and recovery 16 Rising sustainability regulations 19 Accelerated digitalisation and low-code adoption 22 Workforce fatigue and cultural erosion 24 Pandemic response: organisational and strategic resilience 27 Financial risk and the looming insolvency wave 29 Rising inflation and the global tax clampdown 32 Climate change and sustainability is now a principal risk 35 Supply chain strains and the race to flexibility 38 Health and safety amid the continued COVID-19 threat 42 Appendix
PAGE 3 OF 42
Contents
Introduction:
auditing amid rapid change
INTRODUCTION:
Methodology
Auditing amid rapid change
Organisations and their internal audit functions face a dizzying pace of change and unprecedented
Data breakdown: the survey results uncertainty. The pandemic has destabilised operations and labour, disrupted supply and demand,
and undermined previously sound business models to an extent few would have thought possible.
IT security: response and recovery
With the roll-out of vaccines in the developed world While the economic recovery is promising following
and the return of growth as economies reopened the deepest global recession in living memory,
Rising sustainability regulations in 2021, it may be tempting to see the worst of the businesses are contending with critical supply chain
pandemic as having passed. However, COVID-19 will issues and inflation risks. Production costs have
Accelerated digitalisation and continue to have deep and lasting consequences, a risen at a rate not seen for decades. Businesses are
low-code adoption new reality that organisations must accept. struggling to forecast demand for their products as
virus infection rates and consumption continues to
Workforce fatigue and cultural erosion Large sections of the workforce are reflecting on their wax and wane. This uncertainty and disruption is
futures, seeking new employment to advance careers being felt end-to-end through supply chains.
Pandemic response: organisational stalled by the pandemic or changing course altogether
and strategic resilience by migrating into different sectors. Many countries Last, but by no means least, organisations can no
are witnessing a resignation crisis, staff shortages and longer ignore the climate change and sustainability
Financial risk and the looming
high vacancy rates demonstrating how profoundly the agenda. Those that do not take immediate action
insolvency wave
pandemic has exacerbated the talent management face the genuine risk of extinction. As long-term
Rising inflation and the global risks that existed long before 2020. stewards of capital, institutional investors are
tax clampdown pulling out of companies that are not prioritising
Workforce and labour market disruptions also have the environment or society and failing to make
Climate change and sustainability
major implications for culture. CEOs are having the necessary adjustments to their strategies,
is now a principal risk
to develop a clear vision for the future of their business models and operations.
Supply chain strains and companies, and re-embed core values amid the
the race to flexibility transition to hybrid operating models that balance
remote and on-site working arrangements. They
Health and safety amid the
must reconcile the shifting job expectations and new
continued COVID-19 threat
aspirations of existing and incoming staff with their
corporate strategy and mission.
Appendix
PAGE 4 OF 42
Contents
Introduction:
auditing amid rapid change
Methodology
Sustainability regulations have already been rising
Data breakdown: the survey results and renewed policy efforts are sure to follow the UN
Climate Change Conference of the Parties (COP26).
Environmental, social and governance (ESG) themes
IT security: response and recovery
have now established themselves as principal risk
priorities. Businesses finally recognise that an
Rising sustainability regulations unwillingness to accept accountability not only for
their environmental and social impacts but their
Accelerated digitalisation and approaches to diversity and inclusion may cost them
low-code adoption their futures, as customers, suppliers and workers
gravitate towards genuine sustainability leaders.
Workforce fatigue and cultural erosion
Change and uncertainty will define 2022 and the
Pandemic response: organisational years that follow. Internal audit must understand
and strategic resilience this change in the outside world, articulate how
well it believes the organisation is adapting to these
Financial risk and the looming
insolvency wave pressures and identify how effectively associated
risks are being accounted for and managed. In many
Rising inflation and the global cases this will require a complete rethink of internal
tax clampdown
audit’s strategy, planning and where it focuses
Climate change and sustainability its efforts.
is now a principal risk
Supply chain strains and The world has changed.
the race to flexibility
Internal audit must
Health and safety amid the
continued COVID-19 threat change too.
Appendix
PAGE 5 OF 42
Contents
Introduction:
METHODOLOGY
auditing amid rapid change
Methodology
In the first half of 2021 a quantitative survey was distributed
Data breakdown: the survey results
amongst the CAE members of 12 Institutes of Internal
Auditors in Austria, Belgium, France, Germany, Greece, Italy,
IT security: response and recovery Luxembourg, the Netherlands, Spain, Sweden, Switzerland
and the UK & Ireland. This survey elicited 738 responses, an
Rising sustainability regulations all-time high for this research project.
Simultaneously, a sample of 35 Chief Audit Executives (CAEs),
Accelerated digitalisation and
low-code adoption
12 Audit Committee Chairs (ACCs) and 3 CEOs from across these
countries were interviewed to provide deeper insights into how
these risks are manifesting and developing.
Workforce fatigue and cultural erosion
The following topics in this report were determined by the
Pandemic response: organisational
quantitative survey results; the qualitative feedback
13
and strategic resilience
from the interviews has been used to contextualise the
Financial risk and the looming survey results, providing colour and up-to-the-minute
insolvency wave considerations for CAEs, with priority given to new
issues and emerging themes that warrant attention.
Rising inflation and the global
tax clampdown European
This report should not be considered prescriptive, but as
a tool to inform internal audit’s thinking and provide a
countries
Climate change and sustainability
is now a principal risk benchmark against which CAEs can contrast and compare involved
Supply chain strains and
the race to flexibility
their own independent risk assessments.
We also hope that CAEs will use this report as an agenda item
50
in-depth 738
for audit committee discussions and as a sense-checking tool to
Health and safety amid the
continued COVID-19 threat support their internal audit planning and strategy. interviews responses
from CAE
Appendix
members
PAGE 6 OF 42
Contents Data breakdown:
Introduction:
auditing amid rapid change
The survey results
Methodology
Data breakdown: the survey results
What are the top five risks
that your organisation 2022
IT security: response and recovery
currently faces? 2021
Rising sustainability regulations
Accelerated digitalisation and
low-code adoption Cybersecurity and data security
Cybersecurity and data security
Regulatory change and compliance
Changes in laws and regulations
Workforce fatigue and cultural erosion Digitalisation, new technology and AI
Digital disruption, new technology and AI
Financial, capital and liquidity risks
Human capital, diversity and talent management
Pandemic response: organisational Human capital and talent management
Business continuity, crisis management and disasters response
and strategic resilience Disasters and crisis response NEW for 2021
Financial, liquidity and insolvency risks
Macroeconomic and geopolitical uncertainty
Financial risk and the looming Macroeconomic andand
geopolitical uncertainty
Supply chains, outsourcing ‘nth’ party risk
insolvency wave
ClimateCorporate
change and environmental
governance sustainability
and reporting
Rising inflation and the global Supply chain,
Communications, outsourcing
management and
and 'nth' party risk
reputation
tax clampdown Organisational
Corporate culture
culture
Bribery, fraud
Organisational and other
governance andfinancial crime
corporate reporting
Climate change and sustainability
Climate change and environmental
Health,sustainability
safety and security
is now a principal risk
Health andrelationships
Communications, reputation and stakeholder safety
Supply chain strains and Mergers and acquisitions
Fraud, bribery and the criminal exploitation of disruption
the race to flexibility 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Mergers and acquisitions
Health and safety amid the
continued COVID-19 threat 0 10% 20% 30% 40% 50% 60% 70% 80% 90%
Appendix
PAGE 7 OF 42
Contents
The risk landscape has shifted over the past year in the eyes of Europe’s CAEs.
Introduction:
auditing amid rapid change
One of the more notable changes which have a human dimension. Human But the real story is that Climate change
observable in the survey data is that capital, diversity and talent management, and environmental sustainability is surging
Methodology
Financial, liquidity and insolvency risk Organisational culture, and Health, safety up the agenda, climbing as many as four
has become less of a priority. However, and security have all gained positions in positions in the ranking and seeing a 41%
Data breakdown: the survey results it’s important to view this in context. In the survey ranking and more of the overall gain in the proportion of CAEs who view
the second quarter of 2020, large swathes vote over the past year. This demonstrates it as a top five risk. Last year 22% of audit
of business activity were shut down and that CAEs are concerned about the leaders had this among their five biggest
IT security: response and recovery
record levels of government stimulus impacts the pandemic and the extended risks; that has risen to 31%. No other risk
were infused into the economy to avert a homeworking period are having on the area has shown a bigger year-on-year
Rising sustainability regulations financial crisis. Consequently, Financial, workforce, including personnel turnover as increase and this is a continuation of a
liquidity and insolvency risk spiked in staff reflect on their careers and reset their trend: in 2020 a mere 14% of respondents
Accelerated digitalisation and priority in last year’s report. aspirations. The implications of a more put climate change among their top five
low-code adoption fluid employment market are likely to be risks. It’s now time to act.
Since then, businesses have weathered felt for some time and these challenges will
Workforce fatigue and cultural erosion a historic recession and may have have to be actively managed.
newfound confidence as growth returns.
Pandemic response: organisational But this macro recovery may be masking Organisational culture in particular has
and strategic resilience unforeseen financial risk. As stimulus seen a 35% gain in the proportion of
is withdrawn over the coming months, CAEs who view it as a top five risk, from
Financial risk and the looming
insolvency wave companies should be liquidity stress 20% to 27%. This is supported by audit
testing and planning for worst case leaders in this year’s qualitative interviews
Rising inflation and the global
tax clampdown
scenarios as the economy remains
sensitive to further shocks and a potential
consistently speaking of their sense that
culture is at risk of eroding—and the 41%
increase
Climate change and sustainability wave of delayed insolvencies. Banks are knock-on effects that this could have.
is now a principal risk now placing increasing demands on their Inevitably, against the backdrop of the
corporate customers to understand their ongoing pandemic, the question mark that in the proportion of CAEs who view
Supply chain strains and exposure to financial risks. remain over emerging variants and the Climate change and environmental
the race to flexibility
return to the workplace, the health and sustainability as a top five risk since
Health and safety amid the
In parallel, a number of risks have come safety of staff, customers and suppliers is last year’s survey.
continued COVID-19 threat further to the fore this year, most of also of paramount importance.
Appendix
PAGE 8 OF 42
Contents
Introduction: Risk trends over time
auditing amid rapid change
40%
Methodology Human capital, diversity an
Percentage of CAEs who cited the risk
35% Human capital, diversity and talent
management Business continuity, crisis m
Data breakdown: the survey results disasters response
30%
among their top 5
Business continuity, crisis
Climate
management and change
disasters and environ
response
25%
IT security: response and recovery Climate change Organisational culture
and environmental
sustainability
20% Health, safety and security
Organisational culture
Rising sustainability regulations 15%
Health, safety and security
Accelerated digitalisation and 10%
low-code adoption
2020 2021 2022
Risk in Focus is an opportunity to track how to them. Businesses have been forced to Human capital risks related to talent
Workforce fatigue and cultural erosion risk priorities are developing over time. A flex and adapt over the past 18 months, management and diversity are likely to
number of dominant themes are emerging. protecting their workforces from harm be less transitory. Demographic pressures
Pandemic response: organisational Climate change and environmental as health risks sharply escalated. As the associated with plateauing, and in some
and strategic resilience sustainability shows the steepest curve, cases declining, population growth across
pandemic has rolled on for longer than
gaining in prominence more than any many expected, companies have had to much of Europe combined with digital
Financial risk and the looming
insolvency wave other risk type over the past three years, think about the psychological wellbeing of skills shortages will make recruitment
according to CAEs in our sample. their staff and what socially distanced and and retention a persistent challenge.
Rising inflation and the global Meanwhile, a lack of diversity is not
The remaining four risks highlighted in remote working conditions mean for staff
tax clampdown
cohesion and culture. something that organisations can
the graph that are gaining in priority are
Climate change and sustainability resolve overnight.
highly thematic when viewed against the It remains to be seen what the trajectory
is now a principal risk backdrop of the pandemic. Risks related Finally, Climate change and environmental
of these risks will be in future, but it is
Supply chain strains and to Business continuity, crisis management reasonable to expect that health and sustainability is a moving target that
the race to flexibility and disasters response have been heavily safety considerations will abate over the companies will have to make continuous
impacted by recent events, and the same medium term as the uptake of vaccines efforts to mitigate for decades to come.
Health and safety amid the is true of Health, safety & security, Human This should therefore be considered a
increases. Similarly, as—or perhaps if—the
continued COVID-19 threat
capital, diversity and talent management pandemic comes under greater control and “forever risk” that is likely to move up the
and Organisational culture. These latter potentially recedes altogether then crisis risk rankings over time, a view shared by
Appendix
three have a clear human capital element management will likely fall in priority. the CAEs we surveyed.
PAGE 9 OF 42
Contents Looking ahead
Introduction:
auditing amid rapid change
Methodology
Data breakdown: the survey results
What are the top 5 risks
that your organisation will 2025
IT security: response and recovery
face three years from now? 2022
Rising sustainability regulations
Accelerated digitalisation and
low-code adoption Cybersecurity and data security
Digital disruption, new technology and AI
Workforce fatigue and cultural erosion Changes in laws and regulations
Human capital, diversity and talent management
Pandemic response: organisational Climate change and environmental sustainability
and strategic resilience
Business continuity, crisis management and disasters response
Financial risk and the looming Supply chain, outsourcing and 'nth' party risks
insolvency wave Macroeconomic and geopolitical uncertainty
Organisational culture
Rising inflation and the global
Financial, liquidity and insolvency risks
tax clampdown
Organisational governance and corporate reporting
Climate change and sustainability Communications, reputation and stakeholder relationships
is now a principal risk Fraud, bribery and the criminal exploitation of disruption
Supply chain strains and Health, safety and security
the race to flexibility Mergers and acquisitions
Health and safety amid the 0% 10% 20% 30% 40% 50% 60% 70% 80% 90%
continued COVID-19 threat
Appendix
PAGE 10 OF 42
Contents
Introduction: Three years from now European CAEs models and operations—and can articulate
auditing amid rapid change believe that Cybersecurity and data this to investors, governments and the
security will become somewhat less of public—will succeed in the long term.
Methodology a risk, although this is relative. It is still
One fast-track method for achieving these
expected to dominate the risk rankings and
goals is through acquisition. Rather than
any threat mitigation will come from the
Data breakdown: the survey results wholly relying on internal development
fact that businesses are becoming better
and organic growth, companies can buy
equipped at managing and minimising the
innovation, talent and market access via
IT security: response and recovery risk of attacks and data breaches. Other
M&A. For example, the financial services
risks that are expected to abate or come
sector is currently in a state of reinvention,
under greater control include Business
Rising sustainability regulations banks acquiring fintechs to protect and
continuity, crisis management and disasters
grow their market share and maintain
response, Financial, liquidity and insolvency
Accelerated digitalisation and their relevance. In the consumer and retail
risks, and Health, safety and security. All
low-code adoption sectors, companies are scaling down their
three of these have been directly influenced
physical footprints and leaning heavily
by the pandemic and therefore it should
Workforce fatigue and cultural erosion into digital channels, a shift that is
be expected that they will recede in
also being achieved via strategic
due course.
Pandemic response: organisational acquisitions. Consistent
and strategic resilience The biggest gainers over this period with this, the survey
are expected to be Climate change and results show that CAEs
Financial risk and the looming
insolvency wave environmental sustainability, and Digital expect Mergers and
disruption, new technology and AI, both acquisitions risk to
Rising inflation and the global of which are becoming fundamental rise over the next
tax clampdown existential risks. The winners and losers three years.
Climate change and sustainability over the coming years will be defined by
is now a principal risk their ability to adapt to the twin pressures
of becoming digital-first organisations
Supply chain strains and with minimal environmental impacts and
the race to flexibility
best-in-class sustainability reporting and
Health and safety amid the transparency. It is becoming increasingly
continued COVID-19 threat clear that only those who prioritise
sustainability in their strategies, business
AppendixPAGE 11 OF 42
Contents Risk priorities vs.
Introduction:
audit’s focus
auditing amid rapid change
Methodology
Data breakdown: the survey results
What are the top 5 risks on
Risk
which internal audit spends priority
IT security: response and recovery
the most time and effort? Time
spent
Rising sustainability regulations
Accelerated digitalisation and
low-code adoption Cybersecurity and data security
Changes in laws and regulations
Workforce fatigue and cultural erosion Digital disruption, new technology and AI
Human capital, diversity and talent management
Pandemic response: organisational Business continuity, crisis management and disasters response
and strategic resilience
Financial, liquidity and insolvency risks
Financial risk and the looming Macroeconomic and geopolitical uncertainty
insolvency wave Climate change and environmental sustainability
Supply chain, outsourcing and 'nth' party risk
Rising inflation and the global
Organisational culture
tax clampdown
Organisational governance and corporate reporting
Climate change and sustainability Health, safety and security
is now a principal risk Communications, reputation and stakeholder relationships
Supply chain strains and Fraud, bribery and the criminal exploitation of disruption
the race to flexibility Mergers and acquisitions
Health and safety amid the 0% 10% 20% 30% 40% 50% 60% 70% 80% 90%
continued COVID-19 threat
AppendixPAGE 12 OF 42
Contents
The Risk in Focus survey also shows how corporate reporting sees much of internal harness the third line to assess big
Introduction:
auditing amid rapid change closely internal audit’s time, attention and audit’s attention and yet is not viewed as and rapidly emerging risk themes.
resources are being matched to what CAEs high risk. Conversely, Macroeconomic and
Looking ahead three years from now,
consider to be the biggest risks to their geopolitical uncertainty and Climate change
Methodology CAEs expect internal audit’s attention to
organisation. There are numerous reasons and environmental sustainability are viewed
be increasingly directed towards
why these differentials may exist and a as significant risks to the business and yet
Data breakdown: the survey results risks related to Climate change and
direct correlation between risk priority and see limited attention from internal audit.
environmental sustainability, and Digital
time spent auditing should not necessarily This is a major problem.
disruption, new technology and AI. Audit
IT security: response and recovery be expected. Internal audit must be bold. If audit leaders must push for the resources to
However, any gaps could be cause for committees expect the third line to build highly competent and highly relevant
Rising sustainability regulations concern, potentially indicating a lack of concentrate on traditional risk areas that functions that can tackle these shifting
assurance maturity or that internal audit are already well controlled, the business is assurance needs with confidence. This
Accelerated digitalisation and is not pointed in the right directions. For not realising the full potential of internal should be addressed urgently. Waiting
low-code adoption instance, as has been observed in previous audit. In such cases, CAEs must push back until 2025 may be too late.
years, Organisational governance and and educate stakeholders, urging them to
Workforce fatigue and cultural erosion
What are the top 5 risks you expect internal audit to spend 2025
the most time and effort addressing 3 years from now?
Pandemic response: organisational
2022
and strategic resilience
Financial risk and the looming Cybersecurity and data security
insolvency wave Organisational governance and corporate reporting
Changes in laws and regulations
Rising inflation and the global
Business continuity, crisis management and disasters response
tax clampdown
Financial, liquidity and insolvency risks
Fraud, bribery and the criminal exploitation of disruption
Climate change and sustainability
Supply chain, outsourcing and 'nth' party risk
is now a principal risk
Organisational culture
Supply chain strains and Digital disruption, new technology and AI
the race to flexibility Health, safety and security
Human capital, diversity and talent management
Health and safety amid the Communications, reputation and stakeholder relationships
continued COVID-19 threat Climate change and environmental sustainability
Mergers and acquisitions
Appendix Macroeconomic and geopolitical uncertainty
0% 10% 20% 30% 40% 50% 60% 70% 80% 90%PAGE 13 OF 42
Contents
Introduction:
auditing amid rapid change
IT SECURITY: RESPONSE AND RECOVERY
Methodology
The research data
82% of CAEs say that Cybersecurity and data security is among their top five risks, once again putting it ahead of any other risk type
Data breakdown: the survey results (#1). Not only that, 34% of CAEs say this is their single biggest risk (#1). This coincides with a material increase in cybercrime over
the past 18 months, as criminals have sought to exploit the security weaknesses exposed by operational disruptions.
IT security: response and recovery
CAEs in the most cyber mature security breaches result from human error.3 “We want to see that there is a
organisations, particularly in the financial Staff training and awareness is the most
Rising sustainability regulations services sector, explain that organisations effective way of minimising the likelihood
crisis organisation established
are turning their attention to response and of workers clicking on malicious links and and that it meets on a regular
Accelerated digitalisation and recovery processes and procedures, and harmful attachments (e.g. .doc, .dot and basis and it’s trained. You want
low-code adoption
what to do in the event of ransomware .exe files). to see exercises where the
events. Companies must be confident whole data centre is switched
Workforce fatigue and cultural erosion However, no amount of training can totally
that they know how to respond when bad
actors strike and can bring operations back prevent assaults from slipping through off because of a breach and
Pandemic response: organisational
online with minimal disruption by following the cracks. Businesses that have yet to that the back-up works well,
and strategic resilience
established protocols. suffer a major incident need to recognise restarting the applications and
Financial risk and the looming that it is not a question of if attackers so on. You cannot wait for the
insolvency wave Naturally, the best means for avoiding will be successful, but when. Further
crisis to appear. People need to
disruption is by preventing attacks in the along the maturity curve from protective
Rising inflation and the global first place. One of the two most common measures (e.g. software configuration know what to do in the event of
tax clampdown an emergency.”
ransomware attack vectors is software management, strong password policies
Climate change and sustainability vulnerabilities, with VPN (virtual private and staff awareness) are response and
CAE, Switzerland,
is now a principal risk network) servers used for connecting recovery protocols. The ultimate goal is to
one of the country’s
homebound staff to centralised systems reduce downtime and loss of revenue while
Supply chain strains and
being a particular point of focus for cyber maintaining customer trust. These protocols
top five banks
the race to flexibility
extortionists over the past 18 months. The also need to be organisation-wide and not
Health and safety amid the other is emails.1 This is why the human only repeatable but adaptive, so that they
continued COVID-19 threat element is so important. It is estimated that remain relevant and effective as the nature
97% of phishing emails now contain some of the risk develops and the IT environment
Appendix form of ransomware2, and that 95% of IT expands and grows more complex.
1 Ransomware Attack Vectors Shift as New Software Vulnerability Exploits Abound
2 Phishing Statistics You Need To Know To Protect Your Organisation
3 134 Cybersecurity Statistics and Trends for 2021PAGE 14 OF 42
Contents
Introduction:
auditing amid rapid change
IT SECURITY: RESPONSE AND RECOVERY
Methodology
An internal audit perspective
Every organisation is at a different Once internal audit is confident
Data breakdown: the survey results “You do not know
point in their information security that these foundations have been
journey, therefore internal audit what is happening at
laid, its attention should turn to
IT security: response and recovery must focus its assurance efforts the business’s ability to respond the beginning of the
where they are most needed. and recover. If IT continuity plans ransomware attack,
For the least mature, the third are not well understood by staff the decision-making is
Rising sustainability regulations
line should concentrate on or, worse, there are no plans, difficult, there is time
the foundations: whether the the organisation is exposing
Accelerated digitalisation and
business is properly risk assessing pressure. I’m trying to
low-code adoption itself to unnecessary risk. The
and putting in place hard and soft third line should therefore seek see if we are ready or
Workforce fatigue and cultural erosion
defensive controls. Hard controls evidence that these scenarios not to take the right
include regularly updating are being planned for, including decisions.”
software patches, properly dry run exercises, and that
Pandemic response: organisational
and strategic resilience configuring firewalls and threat there are dedicated cyber crisis CAE, France,
detection systems, and using least management and recovery CAC 40 manufacturer
Financial risk and the looming privilege access and two-factor resources in the business with
insolvency wave
authentication (2FA) to contain clear lines of accountability and
Rising inflation and the global attacks from spreading through timely incident reporting.
tax clampdown the entire network from the
initially compromised computer.
Climate change and sustainability Soft controls centre on the
is now a principal risk
risk awareness throughout the
Supply chain strains and organisation, sound cybersecurity
the race to flexibility culture being a key risk mitigator.
Health and safety amid the
continued COVID-19 threat
AppendixPAGE 15 OF 42
Contents
Introduction:
auditing amid rapid change
IT SECURITY: RESPONSE AND RECOVERY
Methodology
An internal audit perspective
Data breakdown: the survey results Questions for internal audit DID YOU KNOW?
The volume of ransomware attacks increased by 150% in
• Does the organisation have a cybersecurity strategy or
IT security: response and recovery 20204, more than any other kind, as criminals have sought
roadmap? How far has the organisation progressed in
to exploit the migration to remote working for financial gain.
achieving this?
Victims also paid 311% more in ransom to have their data
Rising sustainability regulations • Is there a staff awareness and training programme
and systems decrypted by perpetrators over the
in place to prevent successful attacks? Are these
same period.5
Accelerated digitalisation and regularly updated?
low-code adoption • Is a cybersecurity response and recovery plan in place It is estimated that among recent ransomware victims,
and is it tested? 56% recovered their data via system backups and 26%
Workforce fatigue and cultural erosion paid the required ransom to have their data returned.6
• Does the organisation make data backups that it can use
in the event of an attack? How does the organisation know This underscores the importance of response and recovery
Pandemic response: organisational measures. Even paying criminals is a form of response and
that the backups are secure?
and strategic resilience
a route to recovery and if this is agreed policy, it must be
• What is the organisation’s ransomware policy (does it pay
Financial risk and the looming documented and understood by the IT security function the
up or not?) and are people aware of it?
insolvency wave CISO, the rest of senior management and the board.
• Do insurance policies appropriately cover IT security risks?
Rising inflation and the global Is incident reporting likely to be fast enough to meet the
tax clampdown coverage requirements of insurers for successful claims?
Climate change and sustainability • Is the organisation confident that it won’t suffer an attack
is now a principal risk via its vendors or clients? Why is it confident, e.g. are third
parties ISO 27001 certified?
Supply chain strains and
• Does any penetration testing include all areas of the
the race to flexibility
business, including potentially overlooked subsidiaries in
Health and safety amid the non-core markets?
continued COVID-19 threat
Appendix
4 Ransomware Attacks Soared 150% in 2020
5 Key Recommendations from the Ransomware Task Force
6 The state of ransomware 2020PAGE 16 OF 42
Contents
Introduction:
auditing amid rapid change
RISING SUSTAINABILITY REGULATIONS
Methodology
The research data
Data breakdown: the survey results The regulatory burden is a perennial risk that stays firmly at the top of business’s risk registers, especially for banks and
others operating in regulated markets. Changes in laws and regulations is among the top five risks for 46% of CAEs this year (#2,
maintaining its position from a year prior but with a significantly smaller share of the vote), though only 8% have it as their number
IT security: response and recovery
one risk (#5). Regardless of their sector, companies should be paying close attention to rising sustainability requirements.
Rising sustainability regulations In November the UK will host the COP26 55% by 2030, and reach carbon neutrality
UN climate summit, world leaders by 2050. The package includes the final
Accelerated digitalisation and convening to discuss how actions can EU Taxonomy Climate Delegated Act, Changes in laws and
low-code adoption be accelerated towards the goals of the applicable from 1 January 2022. The act regulations is among the top
Paris Agreement and the UN Framework is the first set of technical criteria defining five risks for 46% of CAEs.
Workforce fatigue and cultural erosion Convention on Climate Change. Inevitably activities that contribute substantially to
this will mean more policymaking and climate change mitigation and adaptation,
Pandemic response: organisational increased regulations. However, the essentially supplementing the broad
and strategic resilience regulatory train is already in motion. brush framework of the EU’s Taxonomy
Financial risk and the looming
insolvency wave
Global ESG regulations and laws
have grown by 90% since 20167 and
Regulation, which entered into force on 12
July 2020. A second delegated act is due to
46%
policymakers continue to step up their follow in 2022.
Rising inflation and the global efforts. CAEs, ACCS and CEOs in our
tax clampdown The broader package also included
research almost universally spoke of the
Climate change and sustainability increasing regulations their organisations a proposed Corporate Sustainability
Although only 8% of CAEs see it as their
is now a principal risk face, with attention quickly turning to Reporting Directive (CSRD), intended
number one risk.
sustainability reporting. to replace the existing Non-Financial
Supply chain strains and Reporting Directive (NFRD), which is widely and the public can use comparable
the race to flexibility
In April 2021, the EU adopted a package seen as having fallen short of the mark. The and reliable information. Crucially, the
Health and safety amid the of measures as part of its mission to CSRD aims to make sustainability reporting proposal significantly enlarges the scope
continued COVID-19 threat slash greenhouse emissions by at least more consistent, so that investors of the current reporting requirements
Appendix
7 McKinsey Global Private Markets Review 2021PAGE 17 OF 42
Contents
Introduction:
auditing amid rapid change
RISING SUSTAINABILITY REGULATIONS
from the 11,000 companies that are “The main thing is around who
Methodology
currently subject to the NFRD to some we lend to. Do we lend on clean
50,000 companies.8 This nearly five-fold
energy? How do we make sure
Data breakdown: the survey results increase in scope is because the rules are
expected to apply not only to every single
that it’s really green? How do
company with tradeable instruments on we aggregate the reporting?
IT security: response and recovery
Europe’s stock and bond markets, but all How do we stress test for
large companies whether they are listed climate risk? There’s a lot of
Rising sustainability regulations or not. Unlike the Sustainability Finance
movement in that space with
Disclosure Regulation, which came into
Accelerated digitalisation and effect in March 2021, these reporting
the new taxonomy.”
low-code adoption requirements are intended to apply across CAE, Luxembourg,
sectors, not just in the investment industry. development finance bank
Workforce fatigue and cultural erosion
While Britain has left the EU, UK
Pandemic response: organisational businesses cannot ignore the rising tide
and strategic resilience of sustainability regulations. As part of its
2020 Roadmap and Interim Report, the
Financial risk and the looming
insolvency wave government intends the UK to become the
first G20 country to make reporting aligned
Rising inflation and the global with the Task Force on Climate-Related
tax clampdown Financial Disclosures (TCFD) mandatory
Climate change and sustainability across the economy, so this is not solely
is now a principal risk a concern for EU businesses.
Supply chain strains and
the race to flexibility
Health and safety amid the
continued COVID-19 threat
Appendix
8 Sustainable Finance and EU Taxonomy: Commission takes further steps to channel money towards sustainable activitiesPAGE 18 OF 42
Contents
Introduction:
auditing amid rapid change
RISING SUSTAINABILITY REGULATIONS
Methodology
An internal audit perspective
Third lines in banking and insurance companies are now
Data breakdown: the survey results
long familiar with the rising tide of regulation, so, while Questions for internal audit
challenging, these emerging rules are the continuation of
• Is internal audit providing assurance over the translation
IT security: response and recovery a theme. For others, recent cross-sector efforts to deliver
of relevant sustainability regulations into organisational
assurance around GDPR should stand internal audit in good
commitments, policies and plans? Are the plans adequate and
stead for stricter compliance obligations.
Rising sustainability regulations are they being delivered?
The introduction of the EU Taxonomy Climate Delegated Act • Is the organisation aware of its sustainability reporting
Accelerated digitalisation and and the forthcoming CSRD provide greater clarity on what is requirements and is it taking action to address this? Is internal
low-code adoption audit or some independent party providing assurance over
expected of EU companies in their sustainability reporting.
The same is true for UK businesses with the intention of this reporting?
Workforce fatigue and cultural erosion
the UK government to make TCFD-aligned sustainably • Do the data and statements disclosed in non-financial reporting
obligatory. These developments give the third line concrete accurately reflect the activities of the company? Could it be
Pandemic response: organisational
criteria to audit against. reasonably concluded that the company is greenwashing or is
and strategic resilience
it doing what it claims?
Financial risk and the looming While internal audit is not usually directly responsible • How well developed is the governance around sustainability
insolvency wave for compliance, for smaller, less mature organisations it reporting? For example, are roles and responsibilities
may choose to raise flags, highlighting which forthcoming clearly defined?
Rising inflation and the global
regulations may need to be met. For instance, given that
tax clampdown • Does the company have a system of prioritising
the CSRD will capture far more EU companies within its
regulations, whether related to
Climate change and sustainability scope, the third line can bring to the board and senior
sustainability or otherwise, and does
is now a principal risk management’s attention that the first set of standards are
it take an appropriately risk-based
expected in October 2022, with a second set to follow in
Supply chain strains and approach to managing compliance?
2023. For more mature organisations, internal audit will
the race to flexibility
need to assess the compliance function’s work, checking
Health and safety amid the the efficacy of any processes and controls that have been
continued COVID-19 threat modified to deliver on these emerging requirements.
AppendixPAGE 19 OF 42
Contents
Introduction:
auditing amid rapid change
ACCELERATED DIGITALISATION
Methodology
AND LOW-CODE ADOPTION
Data breakdown: the survey results
The research data
Digital disruption, new technology and AI remains a priority, with 45% of CAEs citing it among their top five risks
IT security: response and recovery (#3, maintaining its position from a year prior) and 8% putting it as their top risk (#4).
The pandemic and its restrictions on allowing businesses to roll out mission- Citizen development helps to address the
Rising sustainability regulations physical contact brought the necessity critical solutions and expand digital shortage of technically skilled workers by
for digital transformation into sharp channels at speed when they were most empowering non-technical employees to
Accelerated digitalisation and focus. Digital laggards were left especially needed. It has been estimated that 64% of build apps that solve immediate problems.
low-code adoption prone as countries went into lockdown, UK software developers increased their use This can help overstretched IT functions
while those that had already executed on of low-code tools in 2020 in response to the unable to keep up with the many demands
Workforce fatigue and cultural erosion their digital strategies were at a distinct global lockdown.9 of the business. The benefits of this should
advantage. Any businesses that did not not be understated.
Pandemic response: organisational previously recognise the need to digitalise Businesses are expected to increasingly
and strategic resilience rely on low-code software development That is the opportunity. The risk is that by
their operations and business models
certainly do now. using tools such as Microsoft’s Power lowering the bar for who can develop apps,
Financial risk and the looming
insolvency wave Platform, Salesforce and Mendix10 to help effectively democratising digitalisation,
Virtually all CAEs, ACCs and CEOs we accelerate their progress. It is estimated the organisation may be increasing its
Rising inflation and the global interviewed flagged the risks and that by 2024, 75% of large enterprises blind spots. Companies may no longer
tax clampdown
opportunities associated with digitalisation will be using at least four low-code have a true picture of the extent of
Climate change and sustainability and the pace of this change as a priority development tools.11 Meanwhile, the global digitalisation within their organisation,
is now a principal risk area of attention. Aiding this digital low-code market is expected to grow by who is responsible for it and where the
acceleration is the use of low-code 22% in 2021, to $13.8bn.12 risks lie. In an effort to drive swift change,
Supply chain strains and development platforms. By enabling digitalisation may proliferate unchecked
the race to flexibility While much of this will be reserved for
developers to create software apps using and key controls may not be paid their due
Health and safety amid the graphical interfaces instead of hand use by IT functions, the rise of so-called attention, increasing security and data
continued COVID-19 threat coding them, low-code has expedited citizen development initiatives shows the privacy vulnerabilities.
digitalisation during the pandemic, opportunity, and the risk, that lies ahead.
Appendix
9 The ‘low-code’ imperative 11 Gartner 2020 Magic Quadrant for Enterprise Low Code Application Platforms
10 Magic Quadrant for Enterprise Low-Code Application Platforms 12 Surge in Remote Development Boosted Low-Code Adoption Despite Ongoing Cost Optimization EffortsPAGE 20 OF 42
Contents
Introduction:
auditing amid rapid change
ACCELERATED DIGITALISATION
Methodology
AND LOW-CODE ADOPTION
Data breakdown: the survey results
An internal audit perspective
With digitalisation shifting up a gear, the been deployed for years already, such patches, critical updates are not rolled
IT security: response and recovery third line’s first concern should be whether as the use of pivot tables and macros out in a timely manner, particularly if
the business model is being sufficiently in Microsoft Excel to create invoice the organisation loses track of its
Rising sustainability regulations adapted to meet the new digital reality. management systems or Microsoft Access low-code components.
Any evidence identified by internal audit of to run database queries.
competitors innovating in ways that could Internal audit may choose to
Accelerated digitalisation and
low-code adoption threaten the business should be brought to Internal audit should therefore return to independently map all digital projects
management’s attention so that it can take the basics and assess whether any low- throughout the business and check
Workforce fatigue and cultural erosion urgent strategic action. code app development and usage follows that this matches the IT function’s own
the company’s established standards and mapping of current activities. In the
Pandemic response: organisational Turning to the development that is already protocols, including reviews, testing and broadest sense, the third line should check
and strategic resilience underway, the third line can assess staged deployment. IT functions will need that digital projects, big and small, uphold
whether core risk management principles to ensure they know exactly what low-code the same standards expected of more
Financial risk and the looming are being embedded into projects. Of projects are in development and apply traditional projects directly managed by
insolvency wave
particular concern is the widespread appropriate permissions controls so that the IT function, and confirm that there is
Rising inflation and the global uptake of low-code tools. The greater the critical data is not lost or misappropriated. appropriate oversight from the information
tax clampdown adoption of these tools among non-IT What is more, it may be impossible to security team.
personnel, the higher the risk. know exactly what is happening under the
Climate change and sustainability
bonnet of these platforms and whether
is now a principal risk
While this may appear to be uncharted they are inadvertently introducing security
Supply chain strains and territory, low-code and no-code flaws to the organisation. Given that the
the race to flexibility development is a continuation of a theme majority of low-code platforms have third-
that internal audit should already be party integrations, it is possible that, even
Health and safety amid the
familiar with. End-user development has if the platform supplier releases security
continued COVID-19 threat
AppendixPAGE 21 OF 42
Contents
Introduction: ACCELERATED DIGITALISATION
AND LOW-CODE ADOPTION
auditing amid rapid change
Methodology
An internal audit perspective
Data breakdown: the survey results
Questions for internal audit “The risk I see is the
IT security: response and recovery
• Is the IT function fully aware of all digitalisation IT infrastructure
projects and sub-projects underway across itself. We do a lot of
Rising sustainability regulations the organisation? internal development
• Is the organisation allowing citizen/ today because we
Accelerated digitalisation and end-user development? If so, are access
low-code adoption
don't want to be
rights and version roll-outs managed to avoid
unintentional errors?
too dependent on a
Workforce fatigue and cultural erosion
• Does current digitalisation activity match the
vendor. We have an
organisation’s risk appetite? From a back-to- innovation team that
Pandemic response: organisational
and strategic resilience
basics perspective, does this digitalisation is not part of IT, it's
meet the established standards adopted by the in a grey zone. You
Financial risk and the looming organisation? Are the standards themselves fit have risks that are
insolvency wave for purpose?
created because of
• How much oversight do digitalisation projects
Rising inflation and the global developments not
tax clampdown have from the IT and IT security functions?
being sufficiently
• Are agile methods delivering practical
Climate change and sustainability
results at the expense of risk management? tested, documented
is now a principal risk
For example, are new applications being or formalised because
Supply chain strains and sufficiently security tested? the business wants to
the race to flexibility
• Is there a programme in place for use agile methods.”
Health and safety amid the automatically patching any low-code apps that
CAE, France, private bank
continued COVID-19 threat are in use?
AppendixPAGE 22 OF 42
Contents
Introduction:
auditing amid rapid change
WORKFORCE FATIGUE AND CULTURAL EROSION
Methodology
The research data
Human capital, diversity and talent management is cited by 40% of CAEs as being among their top five risks (#4, up one place from
Data breakdown: the survey results last year), up from 35% in 2021 and 27% in 2020, a clear uptrend. Meanwhile, 27% view Organisational culture as a top five risk (#10,
up one place from last year), a notable year-on-year increase of seven percentage points. As businesses weigh up what working
models to embed post-pandemic, the risks to culture, morale and staff cohesion should not be underestimated.
IT security: response and recovery
The atomisation of organisations in the Businesses may also be overlooking All of this could have negative downstream
Rising sustainability regulations homeworking environment has delivered risks that are less simple to measure. consequences. Culture and closer co-
some unexpected benefits. In Europe, 82% Interviews with CAEs for this year’s Risk working is inextricably linked to factors as
Accelerated digitalisation and of senior executives have reported that in Focus elicited opinions not only on diverse as innovation and conduct. Without
low-code adoption productivity levels either held steady or talent management and skills shortages, open sharing of ideas, the business may not
increased as people migrated to remote but the impact that remote working and be able to as effectively develop products
Workforce fatigue and cultural erosion work and, over half believe that some hybrid models might be having on culture, or new ways of better serving customers.
degree of remote working is here to stay irrespective of any productivity benefits.
Pandemic response: organisational and that it will play a powerful role in If people feel less connected to their
and strategic resilience The lack of social interaction between teammates and are unable to clearly see
retaining top talent.13
colleagues may be eroding team cohesion how their work contributes to the greater
Financial risk and the looming
insolvency wave However, it’s not all upside. Recent and culture. Staff may be losing their good of the company and its purpose, they
research has shown that 47% of UK sense of belonging or becoming fatigued could begin to stray. Disengagement has
Rising inflation and the global employees are less career focused because and disengaged with their work. As the potential to increase fraud and other
tax clampdown
of the pandemic and 40% are concerned effective as online collaboration tools and misconduct as workers lose their sense of
Climate change and sustainability about work-related burnout14, suggesting videoconferencing software have been in loyalty and put their own interests before
is now a principal risk an extended period of staff churn could be keeping the wheels turning and people the interests of their colleagues and the
ahead. Separately, it has been found that connected virtually, there is no substitute company. This may be compounded by
Supply chain strains and globally as much as 46% of workers are for in-person interaction and small talk for limited oversight from management, which
the race to flexibility
considering leaving their employer because fostering creativity, problem-solving and can result in the weakening of the soft
Health and safety amid the they are now able to work remotely.15 keeping the organisation’s culture alive. controls environment and poorer internal
continued COVID-19 threat communications and reporting, increasing
the likelihood of undesirable behaviour.
Appendix
13 Flexible ways of working are here to stay, finds new European 14 Building resilience for the new realities of work
research – with leaders focused on maintaining culture and innovation 15 Microsoft Work Trend IndexPAGE 23 OF 42
Contents
Introduction: WORKFORCE FATIGUE AND CULTURAL EROSION
auditing amid rapid change
Methodology
An internal audit perspective
It may be too early for internal audit to conduct
Data breakdown: the survey results formal assessments of how effectively behavioural Questions for internal audit
and cultural risk is being managed, given the
• What sense is there that the
fluidity of the present situation. However, the third
IT security: response and recovery culture has eroded and integrity
line can get a “feel” for any weakening of staff
has weakened, and is there an “What hasn’t necessarily
morale and motivation and the overall cultural
Rising sustainability regulations health of the company . This can be achieved by
awareness of this within HR, been dissected enough
middle management and
engaging with people on the ground and flagging is what the impact of
senior management?
Accelerated digitalisation and any concerns with the board or audit committee. new working models
low-code adoption • Are efforts being made to promote
the organisation’s core values
will be. There is a big
If companies aim to permanently move
Workforce fatigue and cultural erosion towards hybrid working models, they will and mission? risk that it’s eroding
need to understand what impact this is having • What steps is the organisation taking culture. How do you
Pandemic response: organisational on productivity, innovation and the risk and to check in with staff? Is middle keep the culture alive
and strategic resilience control environment. Once the strategy has management sufficiently attentive when everything’s
been formalised and embedded, internal audit to business teams? Is there anything
Financial risk and the looming remote or hybrid
can begin to think about how to address this. quantifiable to support this?
insolvency wave
One approach would be directly auditing the
and when you’re not
• Is reduced in-person interaction
Rising inflation and the global culture; another would be to assess what HR having a detrimental impact on
interacting in-person?”
tax clampdown and the second line are doing to understand and either productivity (less likely) or CAE, Ireland, travel
address any cultural erosion that’s occurring, innovation (more likely)? How is this operator listed on
Climate change and sustainability
is now a principal risk such as conducting staff surveys and employing manifesting and being measured? Euronext Dublin
behavioural science techniques to determine
• Is staff turnover increasing? How
Supply chain strains and whether workplace incivility and disengagement
the race to flexibility long does it take to fill vacant
is becoming a growing threat to the organisation’s
positions? Is talent management
Health and safety amid the success. Steps will then need to be taken to
to continuously attract and retain
continued COVID-19 threat remedy this and re-establish a sound and
employees working?
healthy culture.
AppendixPAGE 24 OF 42
Contents
Introduction:
auditing amid rapid change
PANDEMIC RESPONSE: ORGANISATIONAL
Methodology
AND STRATEGIC RESILIENCE
Data breakdown: the survey results
The research data
38% of CAEs consider Business continuity, crisis management and disasters response to be a top five risk (#5), a small gain on last
IT security: response and recovery year (34%). Companies that have succeeded during the crisis period have not only met the short-term challenge of maintaining
continuity, but have responded to the unexpected shocks of the pandemic by developing resilience and refining their strategies.
The events of 2020 caught even the most
From surviving to thriving
Rising sustainability regulations
prepared businesses off guard. Unlike the
Accelerated digitalisation and physical events that businesses commonly
low-code adoption plan for (extreme weather, power outages, However, recent lessons have had far Companies have had to strike a balance
cyber-attacks etc), the pandemic has deeper, lasting implications. It is said that between coping with recent immediate
in every crisis lies opportunity and the disruptions and planning to thrive against
Workforce fatigue and cultural erosion been pervasive, simultaneously impacting
pandemic has been a catalyst for what in the backdrop of reshaped demand and
employees, suppliers and customers many cases has been positive change. As changing consumption patterns as
Pandemic response: organisational across the globe and for a duration part of their crisis response, businesses are economies reopen. Those who have failed
and strategic resilience previously not considered a possibility. addressing strategic risks that have been to adapt to the change in circumstances by
It goes without saying that organisations lingering for years. making necessary course corrections could
Financial risk and the looming be exposing themselves to longer-term
insolvency wave should be updating their business Analysis has shown that around half of
existential risks as their business models
continuity plans (BCPs). This will require senior executives in Europe report that
quickly lose relevance.
Rising inflation and the global careful examination of how effective crisis the crisis exposed weaknesses in their
tax clampdown
responses have been and BCPs should now companies’ ‘strategic resilience’, i.e. the The flip side to this is that strategic and
extent to which an organisation’s business operational adjustments and adaptations
Climate change and sustainability include a pandemic scenario, incorporating
model and competitive position prove carry not only potential rewards but their
is now a principal risk lessons learned to better respond to resistant to disruption. What is more, own risks too. In the pursuit of securing
similar future crises. These will need to business-model innovation was by far the future of the business, any rapid and
Supply chain strains and include staff safety, supply chain and cyber the most important differentiator in fundamental changes made during the
the race to flexibility addressing the crisis.16 pandemic period may create a domino
risk mitigation measures. Greater resilience
can be achieved by covering these basics, effect, informing future strategic decisions
Health and safety amid the
and changes to the business.
continued COVID-19 threat putting the organisation on a stronger
footing should another pandemic or other
Appendix crisis event occur.
16 Strategic resilience during the COVID-19 crisisYou can also read
