Gartner speaks with its internal audit clients each year to identify and qualify their top concerns, or “audit hot spots,” heading into the next year. This process helps to substantiate and evaluate the hot issues that are forcing companies to respond at a strategic level.
This year’s results* show that the chief audit executive (CAE) is more focused than ever on risks related to the pursuit of digital models to drive growth. This means not just the technological and cybersecurity risk of digital business, but also privacy, ethical and regulatory risks. Table 1 below provides an overview of the last five years’ hot spots.
Table 1: Audit hot spots over the last five years
|Information Security||Data Privacy||Cybersecurity – Technological Vulnerabilities||Data Privacy||Cybersecurity Preparedness|
|Strategic Change Management||Cybersecurity||Data Privacy||Cloud Vulnerabilities||Data Governance|
|Climate Change||Third-Party Relationships||Cybersecurity – External Threats||Strategic Workforce Planning||Third Parties|
|Geopolitical Instability||Strategic Change Management||Pace of Innovation||Information Security Behaviours||Data Privacy|
|Data Privacy||Business Continuity and Disaster Recovery||Change Fatigue||Business Continuity and Disaster Recovery||Ethics and Integrity|
|Third-Party Relationships||Competitive Environment||Organizational Sustainability||Digital Preparedness||Operational Resilience|
|Compliance Management||Talent Management||Third-Party Relationships||Corporate Culture||Cloud Computing|
|Risk Culture||Macroeconomic Volatility||Strategic Workforce Planning||Fraud||Digital Business Transformation|
|Strategic Workforce Planning||International Tax Planning||Political Uncertainty||Shareholder Intervention||Regulatory Uncertainty|
|Digital Marketing||Governance||Budgeting and Forecasting||Growth and Innovation Pressures||Strategic Workforce Planning|
|Strategic Decision Making and Execution||Geopolitical Volatility||Acquisition Integration|
|International Tax Planning||New Revenue Recognitions Standards||Trade and Tariffs|
Source: Gartner (November 2018)
Eight of the 12 hot spots for 2019 are associated with the ongoing digitalisation of businesses, governments and society. Of particular concern for 2019 are issues surrounding data and analytics.
Organisations of all types have exponentially increased the amount of data they collect and use at a time when public and regulatory scrutiny is very high, and the regulatory landscape is neither globally consistent nor stable. This creates major challenges in applying proper data governance, maximising the value extracted from data, and complying with regulation.
Recent high-profile data breaches and increased public attention have resulted in record fines in 2018, as well as high-profile job losses for senior executives. This seriously raises the stakes for organisational accountability in 2019, with Gartner estimates suggesting up to 50% of companies will not be compliant with GDPR privacy regulation by the end of 2018.
Aside from the complexities of collecting and managing data, the technological capabilities involved create a vastly expanded range of cybersecurity threats and much greater dependence on platforms delivered through third (or fourth, or fifth!) parties, often using cloud computing. organisations are struggling to keep up with documenting and identifying all possible sources of risk. As their digital presence grows, there are more ways for malicious entities to attack, and more partners whose activities to audit for compliance.
It’s also interesting to note that “ethics and integrity” appears as its own hot spot for the first time. This is driven both by its digital aspects, such as algorithmic decision making, as well as the societal trend of organisations being held to higher standards than simply their financial performance or compliance.
The Cambridge Analytica scandal is a notable example of how data misuse has serious brand and societal implications, on top of legal and compliance penalties. The public outrage was so intense that governments were forced to act, calling on Facebook and other involved parties to testify and explain themselves. The market’s reaction was also punishing, with more than $100 billion knocked off Facebook’s share price in days, while Cambridge Analytica went out of business.
The situation was amplified by a contentious political context, but internal audit executives in all types of companies have taken note and are making plans to avoid similar incidents. Balancing data governance and privacy with the business need to drive growth through data-driven business models is a discussion that must occur at board level. If or when something goes wrong, the board will answer to the public and government.
Ethics and integrity concerns are also being driven in a different way by the powerful #MeToo movement, which focuses on sexual harassment and assault in the workplace. Longstanding cultural issues in organisations are more likely than ever to become public in ways that seriously damage corporate reputation and branding, lower workforce engagement, affect an organisation’s ability to hire top talent, and therefore impact the bottom line.
Other hot spots
Certainly, new trade barriers and tariffs bring real cost and growth pressure risks, as does the vastly shortened planning horizon that executives face in modern business. Strategic workforce planning is a constant concern for audit leaders over the last five years, as increasingly low levels of unemployment and shifting work patterns in younger generations mean that companies are finding it ever harder to lure the talent they need to deliver their strategies and promises to investors or customers. All this together adds up to a challenging 2019 for audit leaders, with increased need for agility in their audit planning.
*Gartner created the 2019 Audit Plan Hot Spots report by combining input from interviews with more than 50, and a survey of 144, CAEs from its global network of client organisations.