RISK IN FOCUS Hot topics for internal auditors - Institut für Interne Revision
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
2023 RISK IN
FOCUS
Hot topics
for internal
auditors
Read more
CONTENTS
Executive summary:
3 Navigating the perfect storm of high-impact interlocking risks
5 Methodology
6 Key survey findings
Macroeconomic and geopolitical risk, emerging and strategic risk:
12 Auditing in a time of crisis
Climate change and environmental sustainability:
20 Transition to climate change auditing
Human capital, diversity and talent management:
27 The human factor
35 Cybersecurity and data security: Auditing at the speed of crime
42 Digital disruption and new technology: Switching to automatic
PAGE 2 OF 48
Contents
Executive summary: Navigating
the perfect storm of high-impact
EXECUTIVE SUMMARY:
interlocking risks
Navigating and auditing in the perfect storm
Methodology of high-impact interlocking risks
In 2022, organisations were hit by a perfect storm of high-impact, interlocking risks
Key survey findings that have thrown businesses into a permanent state of crisis. Following hard on
the heels of the pandemic, the war in Ukraine has intensified supply chain failures,
caused a spike in energy prices and fuelled inflation.
Macroeconomic and geopolitical risk,
emerging and strategic risk: Auditing Now a state of crisis is the new normality. Internal auditors need to get a rapid
in a time of crisis Climate-related natural disasters, looming grip on this situation and support their
recession, an accelerating cost of living organisations to navigate more risky,
Climate change and environmental catastrophe in Europe, food shortages, uncertain and volatile times ahead. Instead
sustainability: Transition to climate
employee welfare and skills deficits, of thinking about what individual risks
change auditing
and a rapidly industrialising cyberattack might arise over the next year or two,
landscape are overlaid by intensifying chief audit executives need to be thinking
Human capital, diversity and talent geopolitical tensions and the very real over the coming decade. And be thinking
management: The human factor
threat of financial liquidity and solvency big. How would we survive an overnight,
risks for businesses. permanent supply chain break with China?
How would we cope if inflation hit 25%
Cybersecurity and data security:
This has forced many organisations not just and stayed there, as it did in the 1970s?
Auditing at the speed of crime
to rewrite their risk registers, but to tear Are we prepared for the sudden,
up outdated risk taxonomies that favour permanent increase in temperatures
Digital disruption and new technology: old-style siloed thinking. Sudden, systemic in every area in which we operate?
Switching to automatic organisation-wide risks with contagious, Are we in a position to understand and
unpredictable ramifications throughout help our clients and staff with the stresses
the enterprise are no longer seen as Black and strains they face over the coming
Swan events - but as interlocking elements months and years?
of a continuous storm.
PAGE 3 OF 48
Contents
Executive summary: Navigating The chief audit executives that participated
the perfect storm of high-impact
in Risk in Focus 2023 are grappling
interlocking risks
with this reality. This year, the report
explores five thematic risks – geopolitical
Methodology uncertainty, climate change, organisational
culture, cyber and data risk, and
digitalisation and artificial intelligence. Venn Diagram Illustrating the Perfect Storm of High-Impact Interlocking Risks
It outlines those challenges in detail and
Key survey findings offers practical advice and know how
about how to help organisations adjust to Geopolitical tensions
this new reality.
Macroeconomic and geopolitical risk,
emerging and strategic risk: Auditing
in a time of crisis
There are few obvious, easy answers to
these problems. But internal auditors
Climate change and environmental are uniquely placed to play their part in
sustainability: Transition to climate developing long-term solutions that have Financial liquidity Supply chain
change auditing a real impact on organisations and the – inflation, transparency
cost of living,
communities they serve. They need to strikes etc
Human capital, diversity and talent secure from the board the resources and
management: The human factor remit to tackle the most pressing risks
with urgency.
Raw material Cyber attacks
shortages
Cybersecurity and data security:
Auditing at the speed of crime If there was ever
a time for the
Digital disruption and new technology:
Switching to automatic
profession to step up
and deliver on its full
potential, it is now. Transport/distribution
bottlenecks
PAGE 4 OF 48
Contents
Executive summary: Navigating
the perfect storm of high-impact
METHODOLOGY
interlocking risks
In the first half of 2022, a quantitative survey was distributed among chief audit
executives (CAEs) by 14 European Institutes of Internal Auditors, spanning 15
Methodology
countries including Austria, Belgium, Bulgaria, France, Germany, Greece, Ireland,
Italy, Luxembourg, The Netherlands, Slovenia, Spain, Sweden, Switzerland, and the
UK. This survey elicited 834 responses, an all-time high for this research project.
Key survey findings
Simultaneously, four roundtable events considerations for CAEs, with priority
were hosted with 39 CAEs and 9 subject given to new issues and emerging themes
Macroeconomic and geopolitical risk, matter experts were interviewed, that warrant attention.
emerging and strategic risk: Auditing including CAEs, Audit Committee Chairs
in a time of crisis and industry experts from a range of This report should not be considered
countries to provide deeper insights prescriptive, but as a tool to inform internal
15
Climate change and environmental audit’s thinking in making their annual
into how these risks are manifesting
sustainability: Transition to climate
and developing. plans and provide a benchmark against
change auditing
which CAEs can contrast and compare their
European
The topics in this report were determined own independent risk assessments.
9
Human capital, diversity and talent
countries
by the quantitative survey results and the involved
management: The human factor We hope that CAEs will use this report
qualitative feedback from the roundtable
events and one-to-one interviews. The as an agenda item for audit committee in-depth
format of this report differs from previous discussions and as a sense-checking tool interviews
Cybersecurity and data security:
Auditing at the speed of crime years. Instead of giving each of the top ten to support their internal audit planning
and strategy.
risk areas relatively equal prominence, it
was decided that a deeper look into areas
The report is also of relevance to
4
roundtable
Digital disruption and new technology: of pressing importance to internal audit
a broader range of governance events with
39
Switching to automatic and their stakeholders would prove to be
834
stakeholders including audit
more useful. That is why the qualitative
committee chairs, board members,
material has been used more prominently
risk management, along with other
to contextualise the survey results, participants
assurance and governance professionals.
providing colour and up-to-the-minute responses from CAEs
covering all sectors
PAGE 5 OF 48 and industries
Contents Key survey findings
Executive summary: Navigating
the perfect storm of high-impact
interlocking risks
Methodology What are the top five risks your
organisation currently faces? 2023
Key survey findings
Human capital risk moves into second place this year followed 2022
by macroeconomic and geopolitical uncertainty. 2023
2022
Macroeconomic and geopolitical risk,
emerging and strategic risk: Auditing
in a time of crisis
Cybersecurity and data security
Human capital, diversity and talent management
Climate change and environmental
sustainability: Transition to climate Macroeconomic and geopolitical uncertainty
change auditing Changes in laws and regulations
Digital disruption, new technology and AI
Climate change and environmental sustainability
Human capital, diversity and talent
management: The human factor Business continuity, crisis management and disasters response
Supply chain, outsourcing and 'nth' party risk
Financial, liquidity and insolvency risks
Cybersecurity and data security: Organisational governance and corporate reporting
Auditing at the speed of crime
Organisational culture
Fraud, bribery and the criminal exploitation of disruption
Digital disruption and new technology: Communications, reputation and stakeholder relationships
Switching to automatic Health, safety and security
Mergers and acquisitions
0 10 20 30 40 50 60 70 80 90 100
PAGE 6 OF 48
Contents Looking ahead
Executive summary: Navigating
the perfect storm of high-impact
interlocking risks
Methodology What are the top 5 risks that your
organisation will face three years from now? 2026
Key survey findings 2023
Cybersecurity and data risk is set to remain the number one risk to organisations. 2026
2023
Macroeconomic and geopolitical risk,
emerging and strategic risk: Auditing
in a time of crisis
Cybersecurity and data security
Human capital, diversity and talent management
Climate change and environmental
Climate change and environmental sustainability
sustainability: Transition to climate
Digital disruption, new technology and AI
change auditing
Macroeconomic and geopolitical uncertainty
Change in laws and regulations
Human capital, diversity and talent
Business continuity, crisis management and disasters response
management: The human factor
Supply chain, outsourcing and 'nth' party risk
Financial, liquidity and insolvency risks
Cybersecurity and data security: Organisational culture
Auditing at the speed of crime Organisational governance and corporate reporting
Fraud, bribery and the criminal exploitation of disruption
Communications, reputation and stakeholder relationships
Digital disruption and new technology: Mergers and acquisitions
Switching to automatic Health, safety and security
0 10 20 30 40 50 60 70 80 90 100
PAGE 7 OF 48
Contents Risk priorities vs.
audit’s focus
Executive summary: Navigating
the perfect storm of high-impact
interlocking risks
Methodology What are the top 5 risks on
which internal audit spends Time
spent
Key survey findings most time and effort? Risk
priority
Time & effort spent in 2023
Risk priority in 2023
Macroeconomic and geopolitical risk,
emerging and strategic risk: Auditing
in a time of crisis Cybersecurity and data security
Organisational governance and corporate reporting
Climate change and environmental
Change in laws and regulations
sustainability: Transition to climate
Financial, liquidity and insolvency risks
change auditing
Business continuity, crisis management and disasters response
Supply chain, outsourcing and 'nth' party risk
Human capital, diversity and talent
Fraud, bribery and the criminal exploitation of disruption
management: The human factor
Digital disruption, new technology and AI
Organisational culture
Cybersecurity and data security: Human capital, diversity and talent management
Auditing at the speed of crime Climate change and environmental sustainability
Health, safety and security
Communications, reputation and stakeholder relationships
Digital disruption and new technology: Mergers and acquisitions
Switching to automatic
Macroeconomic and geopolitical uncertainty
0 10 20 30 40 50 60 70 80 90 100
PAGE 8 OF 48
Contents Looking ahead
Executive summary: Navigating
the perfect storm of high-impact
interlocking risks
Methodology What are the top 5 risks you expect internal
audit to spend the most time and effort 2026
Key survey findings addressing 3 years from now? 2023
2026
2023
Macroeconomic and geopolitical risk,
emerging and strategic risk: Auditing
in a time of crisis Cybersecurity and data security
Digital disruption, new technology and AI
Climate change and environmental
Business continuity, crisis management and disasters response
sustainability: Transition to climate
change auditing Climate change and environmental sustainability
Change in laws and regulations
Organisational governance and corporate reporting
Human capital, diversity and talent
Financial, liquidity and insolvency risks
management: The human factor
Human capital, diversity and talent management
Supply chain, outsourcing and 'nth' party risk
Cybersecurity and data security: Fraud, bribery and the criminal exploitation of disruption
Auditing at the speed of crime Organisational culture
Communications, reputation and stakeholder relationships
Macroeconomic and geopolitical uncertainty
Digital disruption and new technology:
Health, safety and security
Switching to automatic
Mergers and acquisitions
0 10 20 30 40 50 60 70 80 90 100
PAGE 9 OF 48
Contents Key survey findings
Executive summary: Navigating
the perfect storm of high-impact
interlocking risks
While cybersecurity continued to hold its top place in the Risk in Focus 2023 survey as the number one risk businesses face,
Methodology
human capital risk moved into second place (up from fourth in 2022) followed by geopolitical risk in third (up from seventh).
The shortage of skills and labour has become more acute as behaviours engendered during the pandemic have started to play out.
Key survey findings
Risk trends over time
Macroeconomic and geopolitical risk, Percentage of CAEs who cited the risk among
emerging and strategic risk: Auditing 60%
Human capital, diversity
in a time of crisis and talent management
50%
Macroeconomic and
Climate change and environmental 40% geopolitical uncertainty Human ca
sustainability: Transition to climate Climate ch
their top 5
change auditing 30% Climate change and
environmental sustainability Supply ch
20% Supply chain, outsourcing Macroeco
Human capital, diversity and talent
and ‘nth’ party risk
management: The human factor 10%
0%
2020 2021 2022 2023
Cybersecurity and data security:
Auditing at the speed of crime
Even as the risk of business continuity businesses, as well as long-running Climate change is becoming a more
Digital disruption and new technology: failures and financial, liquidity and developments in regulation over a wide persistent theme in the Risk in Focus
Switching to automatic insolvency risk that the pandemic had range of issues, meant that changes in laws surveys, rising this year to sixth place
boosted in 2021 faded in 2022, the war and regulations are still seen as a major from eighth in 2022 and is starting to be
in Ukraine helped to push geopolitical threat (down to fourth place in 2023 from a key area of internal audit activity as
uncertainty risk higher. Rapid changes second in 2022). respondents expect the risk to rise to third
to the sanctions’ regimes for Russian place in three years’ time. In contrast,
PAGE 10 OF 48Contents Key survey findings
Executive summary: Navigating
the perfect storm of high-impact
interlocking risks
Methodology
digital disruption fell from third to fifth received internal audit’s attention. How
Key survey findings place in 2023 with respondents also well internal audit departments continue
ranking it as low in the threat hierarchy to align their efforts to the needs of
three years from now. For example, last their organisations is likely to become
Macroeconomic and geopolitical risk, year respondents said it would rank second more of a pressing issue as large-scale
emerging and strategic risk: Auditing place in three years’ time – in 2023, they interconnected risks continue to rise with
in a time of crisis say it will rank fourth place in three unprecedented speed in the years to come.
years’ time.
Climate change and environmental
sustainability: Transition to climate
If the risk rankings are changing rapidly,
change auditing
the areas on which internal auditors spend
their time appears to be relatively static
Human capital, diversity and talent – raising the question of whether some
management: The human factor
functions need to be more agile to meet
the changing needs of their organisations.
Human capital, for example, moved
Cybersecurity and data security:
Auditing at the speed of crime up from 11th place in 2022 to 10th this
year in terms of time and effort spent on
this risk area, despite the huge pressure
Digital disruption and new technology: organisations are under to attract, retain,
Switching to automatic train and protect the well-being of staff. Geopolitical risk has risen to third,
Organisational governance and corporate up from seventh in 2022
reporting, on the other hand, held its
position as the second biggest area that
PAGE 11 OF 48Contents
Executive summary: Navigating
the perfect storm of high-impact
MACROECONOMIC AND GEOPOLITICAL
interlocking risks
RISK, EMERGING AND STRATEGIC RISK
Methodology
Auditing in a time of crisis
Macroeconomic and geopolitical uncertainty has jumped up the risk rankings in 2022, but such recent events could
Key survey findings indicate a permanent change in the nature of emerging risk. Internal auditors must adapt to provide relevant assurance
to their organisations.
Macroeconomic and geopolitical risk, The war in Ukraine took many organisations by surprise, including seventh just a year ago. With 46% citing it as a top five risk this year,
emerging and strategic risk: Auditing those with deep commercial interests in the region. As the Risk in compared to 32% last year.
in a time of crisis
Focus 2023 survey took place during the first quarter of 2022 when the
conflict was just beginning, the crisis helped to push macroeconomic In a special question on the war, internal auditors said that the
Climate change and environmental event’s immediate impact on their risks included most prominently
sustainability: Transition to climate
and geopolitical uncertainty into 3rd place in the survey, up from
macroeconomic and geopolitical uncertainty.
change auditing
Human capital, diversity and talent What top five risks has the War in Ukraine had the most impact on?
management: The human factor
Macroeconomic and geopolitical uncertainty
Cybersecurity and data security
Business continuity, crisis management and disasters response
Cybersecurity and data security: Supply chain, outsourcing and 'nth' party risk
Auditing at the speed of crime Financial, liquidity and insolvency risks
Change in laws and regulations
Communications, reputation and stakeholder relationships
Digital disruption and new technology: Health, safety and security
Switching to automatic Fraud, bribery and the criminal exploitation of disruption
Climate change and environmental sustainability
Human capital, diversity and talent management
Organisational governance and corporate reporting
Digital disruption, new technology and AI
Organisational culture
Mergers and acquisitions
PAGE 12 OF 48
0 10 20 30 40 50 60 70 80 90 100Contents
Executive summary: Navigating
the perfect storm of high-impact
MACROECONOMIC AND GEOPOLITICAL
interlocking risks
RISK, EMERGING AND STRATEGIC RISK
Methodology Yet, internal auditors also said in the The war has also impacted financial
response to the general questions in Risk liquidity and insolvency risk. While ranked
“Chief audit executives
in Focus 2023 that risks associated with ninth considered as the top risk facing should re-examine their
macroeconomic and geopolitical uncertainty organisations in the Risk in Focus 2023 survey audit planning process to
Key survey findings ranked only 15th in terms of their time and (down from sixth last year), the risk scored see if it is fit for the 2023
effort – and was only likely to rise to 13th fifth when considered as a direct impact
risk landscape”
place on this metric in three years’ time. of the conflict in Ukraine. The crisis comes
Macroeconomic and geopolitical risk,
As the extended ramifications of the conflict at a time when Europe is winding down its
emerging and strategic risk: Auditing
in a time of crisis continue to unravel, this lack of attention to unprecedented €2.3 trillion1 aid package for with inflationary pressures. But perhaps
such a key risk seems either short-sighted businesses and governments across the zone surprisingly, the perceived impact of financial
Climate change and environmental or untenable. and inflation – stoked by a cocktail of rising liquidity risk and insolvency risk dropped
sustainability: Transition to climate energy costs, wages and food prices – is on from sixth place in 2022 to ninth in the Risk
change auditing The conflict has forced businesses into the rise. Not only are businesses readjusting in Focus 2023 survey, suggesting that many
swift, often large-scale action. Organisations to a changing customer landscape following organisations that had survived the depth
Human capital, diversity and talent with ties to Russian businesses and the pandemic, but the war has also helped of the pandemic felt more confident about
management: The human factor the government severed them. Some push the eurozone into becoming a lower their prospects. Yet the speed at which
organisations sold Russian subsidiaries at growth, higher inflation region2. Coming high-impact change can impact
rock-bottom prices while others scrambled into the winter of 2023, these tensions are organisations raises the uncomfortable
Cybersecurity and data security: to source supplies of goods and services from likely to intensify, especially if food and gas question over whether internal auditors have
Auditing at the speed of crime outside the country. In response to sanctions shortages worsen. given this risk enough prominence.
by the European Union, the United Kingdom
and the United States, Russia cut its supplies Further pressure on corporate finances
Digital disruption and new technology:
Switching to automatic of oil to Bulgaria, Finland and Poland – is likely during 2022 and 2023 as the
pushing up prices. At the time of writing this European Central Bank looks set to end
report, the situation is highly volatile. 8 years of negative interest rates to deal
PAGE 13 OF 48
1
COVID-19: the EU’s response to the economic fallout, European Council of the EU, June 2022
2
Spring 2022 Economic Forecast: Russian invasion tests EU economic resilience, European Commission, May 2022Contents
Executive summary: Navigating
the perfect storm of high-impact
MACROECONOMIC AND GEOPOLITICAL
interlocking risks
RISK, EMERGING AND STRATEGIC RISK
Methodology Rapid changes by Risk in Focus 2023 survey respondents organisations to both maintain up-to-date
to sanctions as impacts of the crisis. risk assessments in this area and strengthen
controls for screening those with whom they
Key survey findings
If a major area of focus in last year’s survey Agility of risk do business, including both suppliers and
shareholders. Having easy access to such
was environmental regulation, this year it
is the sudden acceleration of sanction risks.
assessments data may mean beefing up data governance
to increase transparency.
Macroeconomic and geopolitical risk, Internal auditors said dealing with changes “Sanctions of this scale and complexity are a
emerging and strategic risk: Auditing in laws was the 3rd biggest risk in terms of nightmare to police,” Foyle says. Since they This is a key area where internal auditors
in a time of crisis the time and effort for their departments originate from different jurisdictions and must seek to work in co-ordination with
– the same as last year. While not a new apply to both organisations and individuals, first and second lines – especially legal,
Climate change and environmental
threat, the scale and intensity of sanctions simply keeping risk assessments up to date compliance and risk management.
sustainability: Transition to climate
change auditing
imposed on Russia by the European Union, can be challenging. Businesses must map While many chief audit executives
United Kingdom and the United States has the restrictions imposed by all countries participating in Risk in Focus roundtables
been unprecedented. Not only does it target across their global enterprise - including said they worked with other parts of the
Human capital, diversity and talent
Russian commercial and political interests, those relating to sources of funding. Tracking business, the practice of combined assurance
management: The human factor
but individuals associated with the the money trail when assets can be held by is not as widespread as it might be – despite
regime too. family members of those individuals who being the topic of IIA Standard 20504.
Cybersecurity and data security: have been sanctioned can be difficult, time-
Auditing at the speed of crime It is a risk that is likely to grow in 2023 and consuming and costly.
beyond, partner at BDO specialising in
economic crime Angela Foyle says. She Just as the quantity and depth of measures
Digital disruption and new technology: warns that sanctions will increasingly are altering, penalties are rising too. In 2022,
Switching to automatic become a weapon of choice for countries as for example, the UK introduced strict liability
they continue to wage economic war against for sanctions breaches for both corporate
opposing regimes. Tackling the fallout could entities and, potentially, directors, as well
force internal auditors and risk professionals as name-and-shame procedures for those
to allocate more time to business continuity, caught on the wrong side of the line3. Foyle
supply chain and liquidity risks - all identified says internal auditors should support their
PAGE 14 OF 48
3
The UK government passed the Economic Crime (Transparency and Enforcement) Act 2022 on 15 March 2022, which included these provisions
4
Combined Assurance: One Language, One Voice, One View, Sam C. J. Huibers EMIA, RO, CRMA, The IIA Research Foundation, 2015Contents
Executive summary: Navigating
the perfect storm of high-impact
MACROECONOMIC AND GEOPOLITICAL
interlocking risks
RISK, EMERGING AND STRATEGIC RISK
Methodology Emerging risks supply chain disruption are often existential
either to lives or organisations.
most time on tactical and operational risks
which have minimal impact on the business.
changing in nature If chief audit executives find themselves in
Too many assurance professionals overlook this situation, he urges them to re-examine
Key survey findings For Greg Schlegel, founder of the Supply their importance, he says, or perhaps some their audit planning process to see if it is fit
Chain Risk Consortium in the US and Adjunct boards set different priorities for them. for the 2023 risk landscape. “Auditors have
Professor for teaching enterprise risk While internal audit priorities may not always to get executives involved in this process,”
Macroeconomic and geopolitical risk, management for Villanova University’s map onto strategic risks, a recurring issue he says, “by putting together a compelling,
emerging and strategic risk: Auditing EMBA programme, first the pandemic and flagged by the Risk in Focus 2023 survey forward-looking business case that clearly
in a time of crisis now the conflict in Europe have underlined (as well as in the 2022 survey) is a persistent spells out the risks and rewards.”
a fundamental shift in the nature of mismatch between what internal auditors
Climate change and environmental
emerging risks. identify as their organisations’ key risks and
sustainability: Transition to climate
change auditing where they spend most of their time. For
Instead of being siloed into the kind of
example, respondents rated human capital
categories that appear on most risk registers,
Human capital, diversity and talent and macroeconomic risks in 2nd and 3rd
such threats cut across all business areas
management: The human factor place in the biggest risk ranking - but 10th
and are fundamentally outside of the
and 15th place for the time allocated to deal
organisation’s control. Low-probability,
with it. By comparison, behind cybersecurity,
Cybersecurity and data security: high-impact events such as natural disasters,
internal auditors spend most time on
Auditing at the speed of crime political upheaval, inflation, pandemics
organisational governance and corporate
and wars may turn out to be more common
reporting, and changes in laws
than people think. Supply chains not only
and regulations.
Digital disruption and new technology: face disruptions from geopolitical tension,
Switching to automatic but from shortages of raw materials and “When auditors see one of these low-
components – from grain to computer chips probability, high-impact strategy risks,
– and from a lack of workers following the they tend to kick the can down the road,”
pandemic and events such as Brexit. In fact, Schlegel says. It is a trend he sees among his
Schlegel says the strategic threats posed by manufacturing clients where many spend the
PAGE 15 OF 48Contents
Executive summary: Navigating
the perfect storm of high-impact
MACROECONOMIC AND GEOPOLITICAL
interlocking risks
RISK, EMERGING AND STRATEGIC RISK
Methodology Supply chain for their businesses. Once management sees concerns in the industry that exceptional
disruption how the supply chain reacts and what the
potential cost of such events are, they will be
worsening weather conditions could lead to
more frequent shutdowns elsewhere in the
able to begin building risk mitigation plans world. Energy systems are generally designed
Key survey findings In particular, Schlegel predicts that stress
grounded in reality. It will also help build the to withstand peaks in demand during cold
on supply chains will be a constant feature
case for better funding for the second and snaps - but not if they happen in all parts
over the next few years, especially since
third lines. of the system (or across inter-connected
Macroeconomic and geopolitical risk, the European Commission’s Proposal for
countries) at the same time. It sparked
emerging and strategic risk: Auditing a Directive on Corporate Sustainability Yet over and above these systemic risks a global rush in energy businesses to
in a time of crisis Due Diligence seeks to further tighten that cut across many areas of the business, understand which lessons could be learnt
environmental and human rights protection operating in a permanent state of emergency
Climate change and environmental from the Texas storm and to ensure that they
in law5. In this year’s survey, supply chain, poses its own challenges.
sustainability: Transition to climate could manage such risks in future. Then,
change auditing outsourcing and “nth” party risk ranked
from September 2021 – and set to continue
eighth in terms of its potential impact (up
from ninth in 2022) and respondents said
Crises now systemic into 2023 – energy shortages started to send
Human capital, diversity and talent prices high, a situation that has spiralled into
it ranked sixth in terms of the areas where “It is more than three years now since we
management: The human factor a full-blown global crisis because Russia is a
internal audit functions spend most time have been in a state of emergency, including key supplier of gas in Europe.
and effort. most recently from the situation in Ukraine,
Cybersecurity and data security: and we can see that these crises are
The nature of extended enterprises means
Auditing at the speed of crime
becoming systemic,” Stanislas Martin, chief “These crises are
that organisations are increasingly exposed
to high-impact events directly and through
risk officer at the French energy company EDF becoming systemic”
who is responsible for crisis management at
Digital disruption and new technology: their supply chains. The answer?
Switching to automatic the business, says.
“Get clear visibility of your supply chains then
digitise them,” Schlegel says. That means Every sector has its own story. As well as
taking the entire supply chain structure and the pandemic, a storm-induced, winter
putting it into a digital model so that energy outage in Texas in 2021 triggered
internal auditors can do “what if scenarios?”
PAGE 16 OF 48
5
Just and sustainable economy: Commission lays down rules for companies to respect human rights and environment in global value chains, European Commission, February 2022Contents
Executive summary: Navigating
the perfect storm of high-impact
MACROECONOMIC AND GEOPOLITICAL
interlocking risks
RISK, EMERGING AND STRATEGIC RISK
Methodology Crisis management “How do you think through a scenario when it is a potential
systems broken issue and before it gets to the stage of crisis?”
Key survey findings Martin agreed with Schlegel that while in
the past, crises generally were contained in management and disaster response fifth Given that businesses are already struggling
one or two areas of the business, now they as the risk area where they spent most time to retain and attract staff, risk managers
Macroeconomic and geopolitical risk, infuse all aspects of an organisation with and effort – compared with fourth in the and internal auditors need to push training
emerging and strategic risk: Auditing urgency and a heightened sense of threat – 2022 survey. and well-being centre stage in 2023 to help
in a time of crisis but enterprises that are not properly trained both organisations and their departments
through global crisis management exercises In many industries, the entire enterprise has improve their resilience (see Human capital
Climate change and environmental effectively become the crisis management
find it difficult to resolve issues quickly chapter, defining better controls).
sustainability: Transition to climate
because of the scale and complexity of their team whether they have been prepared for
change auditing
potential impact and the fact they have no it or not. In addition, says Martin, the impact
control over their causes. of such threats can jump unpredictably from
Human capital, diversity and talent one area of a business to another within
management: The human factor
Traditionally, an operational crisis days, weeks and months - in effect creating
management team would help the part of sub-crises of differing intensities - in a way
Cybersecurity and data security:
the business affected deal with the event that makes resource allocation critical.
Auditing at the speed of crime and attempt to bring it under control. If
several crises arose in a year, people would “The cumulative level of fatigue and
be rotated in and out of the team because of employee burnout has also to be taken into
Digital disruption and new technology: the intense nature of the work. These types consideration,” he says. Additional pressure
Switching to automatic of arrangements have been fundamentally on staff from waves of colleagues falling ill
broken by recent events because it is beyond during the pandemic, or key posts remaining
the scope of a crisis management structure vacant, have added to a sense of exhaustion,
to cope with non-stop emergencies. Internal not just in front line services such as health
auditors responding to the Risk in Focus and retail, but more generally in all sectors
2023 survey rated business continuity, crisis where rolling crises have become the norm.
PAGE 17 OF 48Contents
Executive summary: Navigating
the perfect storm of high-impact
MACROECONOMIC AND GEOPOLITICAL
interlocking risks
RISK, EMERGING AND STRATEGIC RISK
Methodology Reassessing pieces of medical equipment at the same
time as a global disruption to supply
“From a practical point of view, that can
entail consciously encouraging critiques to
global risk chains. With the benefit of hindsight, the be actively raised and considered.”
assumptions and the natural tendency to
Key survey findings The conflict in Ukraine has revealed that
the interconnected global energy systems
‘hope for the best’ did impact the response to Clarifying risk
that were established to ensure stability of
such a large-scale event.
appetite
Macroeconomic and geopolitical risk, supply can become a cause of vulnerability Over the last couple of years, Shell
emerging and strategic risk: Auditing and risk, says Ken Marnoch, Executive Vice Marnoch and his team are engaging in
businesses have rethought ‘risk
in a time of crisis what he calls “stronger conversations
President, Internal Audit and Investigations, management’. The kinds of credible worst-
Shell International. Not only are the energy case scenarios that used to be relatively about risk appetite”. He says having a clear
Climate change and environmental
implications of reducing Europe’s reliance confined to the crisis management team understanding of how much risk each
sustainability: Transition to climate
change auditing on Russian energy complex, but could take have now become much more readily business can take on in specific areas is most
years to play out. disseminated and discussed within useful during a dilemma - where all choices
the businesses as part of everyday risk may have potential upsides and downsides.
Human capital, diversity and talent
“The situation is similar to what happened Then, clarity on the appetite for the risks
management: The human factor management. In addition, business
with the COVID-19 pandemic. Based on associated with the different choices can act
continuity planning is now reframed to
experience with dealing with other virus as a guiding light through the problem.
think with a local or regional focus as well
Cybersecurity and data security: outbreaks, for example severe acute
as discussing what could happen if all parts
Auditing at the speed of crime respiratory syndrome, or SARS, there was Historically, Shell’s internal audit had
of the organisation were affected by the
initially a belief that the COVID-19 pandemic focused on operational, culture and conduct-
same or linked events - such as the switch
would be a localised problem.” he says. based risks. The internal audit group has now
in energy usage patterns and IT network
Digital disruption and new technology: “That meant that very few people asked set up a specific team to focus on the risks
Switching to automatic loads when working from home became a
the question, ‘what happens if our global and control framework associated with the
global phenomenon.
supply chains get disrupted because of a delivery of strategic objectives.
pandemic?’, much less prepared for it.” “How do you think through the range of
“If you break strategic objectives down to
scenarios, including the credible worst
Risk mitigation plans often missed the measurable goals, the related risks, the
case, when those scenarios are still only a
possibility of global demand for the same explicit controls, and an understanding of
potential issue and not yet a crisis?” he says.
PAGE 18 OF 48Contents
Executive summary: Navigating
the perfect storm of high-impact
MACROECONOMIC AND GEOPOLITICAL
interlocking risks
RISK, EMERGING AND STRATEGIC RISK
Methodology
how business leaders know that the controls world is changing dramatically. How to be “If you let go of the need to be right and
are working, then you have the scope for an actively inquisitive, to find information that acknowledge it was a decision made with
internal audit,” he says. “Part of the role of tests the beliefs and the fast feedback on the the best information at the time, you will be
Key survey findings the new team is to help people move away current reality are required to navigate an more open to looking for information that
from fixed thinking around the correctness uncertain future.” challenges your thinking. That opens up a
of assumptions they made at the beginning lot more power in managing a key risk in the
Macroeconomic and geopolitical risk, of a project, or strategy, when so much in the delivery of your strategic objectives.”
emerging and strategic risk: Auditing
in a time of crisis
Climate change and environmental
Key questions for internal audit in evaluating the risks of the organisation
sustainability: Transition to climate
1. In terms of the time and 4. How do you know whether the 7. Have you reassessed the
change auditing
effort spent on internal auditing assumptions the organisation relationship between the
assignments, how is internal (and the internal audit function) organisation’s business continuity,
Human capital, diversity and talent audit aligned to the organisation’s have made about the nature of crisis management and risk
management: The human factor strategic objectives – including key risk areas are still valid today management teams to ensure
on geopolitical risk and and fit the circumstances likely they are fit for purpose?
climate change? to arise in 2023?
Cybersecurity and data security: 8. Does the organisation seriously
Auditing at the speed of crime 2. How strong is the support for 5. Does the organisation have consider critical voices and
internal audit activities in areas up-to-date risk assessments those of external experts in their
such as strategy and crisis for sanctions risk and robust assessment of risks?
Digital disruption and new technology: management and what can be controls for screening third
Switching to automatic done to improve that support party ownership and
where it is lacking? company shareholders?
3. How far is internal audit able to 6. How far does the organisation
leverage resources of other lines take advantage of digital tools to
to provide proper coverage and model key risks and to run “what
PAGE 19 OF 48
minimise the duplication of effort? if” scenarios?Contents
Executive summary: Navigating
the perfect storm of high-impact
CLIMATE CHANGE AND
interlocking risks
ENVIRONMENTAL SUSTAINABILITY
Methodology Transition to climate change auditing
Auditors are beginning to get to grips with auditing environmental sustainability,
Key survey findings but helping organisations achieve their objectives requires a holistic approach.
While internal auditors have had climate evidence of unpredictable change is clear
Macroeconomic and geopolitical risk,
change on the agenda for some time, chief – yet unless internal auditors get a firm grip on
emerging and strategic risk: Auditing
in a time of crisis audit executives taking part in this year’s Risk in the issue now, the risk could become the next
Focus 2023 roundtable on the topic agreed that big crisis that organisations are unprepared
Climate change and environmental it was moving higher up their agendas. “Last for. While internal auditors are shifting more
sustainability: Transition to climate year we were starting to wake up to the issue resources into climate change assignments,
change auditing with training and seminars; this year we are they do not yet give it the priority it deserves.
getting into the detail and starting to implement Today, it ranks only 11th place in terms of where
Human capital, diversity and talent environmental issues in every audit,” said they say they spend their time and effort.
management: The human factor one participant. If internal auditors want to move it to 4th place,
they need to step up their efforts in this
In the Risk in Focus 2023 survey, internal area today.
Cybersecurity and data security: auditors said that climate change was the 6th
Auditing at the speed of crime most important risk they faced, up from 8th
from last year. With 37% citing it as a top five
risk compared to 31% last year. And they expect
Digital disruption and new technology:
Switching to automatic it to move up to 3rd place in the risk rankings
and 4th in terms of the amount of time they
spend in three years’ time – that makes it one
of the most dynamic, fast-moving risk areas for 37% of internal auditors cited
the profession. climate change as a top five risk
compared to 31% last year.
As temperatures soared to unusually high
PAGE 20 OF 48
levels across Europe at the time of writing, theContents
Executive summary: Navigating
the perfect storm of high-impact
CLIMATE CHANGE AND
interlocking risks
ENVIRONMENTAL SUSTAINABILITY
Methodology COP26’s towards net-zero emissions, we expect the frameworks as they are being built.
stretching goals Shell’s operating plans to reflect this
movement. However, if society is not net
Shell Internal Audit is therefore asking
questions on the business objectives, the
zero in 2050, as of today, there would be risks associated with those objectives,
Key survey findings The Conference of the Parties (better
significant risk that Shell may not meet what controls would be appropriate and
known as COP 26) set fresh climate
this target. This is a global challenge and how assurance around those controls can
goals that organisations may struggle
one where we also need to work with our be integrated as the frameworks develop.
Macroeconomic and geopolitical risk, to help meet. Key targets included
customers and across sectors to accelerate
emerging and strategic risk: Auditing securing net global emissions by 2030
the transition to net zero. We can learn He says that internal auditors should
in a time of crisis to keep warming to 1.5 degrees within
from the experiences from the response to make sure that they can be involved during
sight6. In addition, in 2022 the European the carbon transition journey. They can
Climate change and environmental the pandemic and the conflict in Ukraine,”
Financial Reporting Advisory Group provide timely feedback and provide
sustainability: Transition to climate Ken Marnoch, Executive Vice President,
change auditing released the Exposure Drafts for European assurance to the Audit Committee about
Internal Audit and Investigations, Shell
Sustainability Reporting Standards, a key how it is developing and how risks are
International, says. The world needs more
component of the Corporate Sustainability being managed instead of coming in
Human capital, diversity and talent and cleaner energy solutions to power
Reporting Directive. These are due to be a couple of years down the line and
management: The human factor progress, and this requires fast learning,
finalised by the end of 2022, as are the raising concerns.
complex decision-making and effective risk
International Sustainability Standards
management at Shell.
Cybersecurity and data security: Board’s own financial rules on climate and
sustainability-related disclosures7. “The energy transition
Climate change
Auditing at the speed of crime
to renewables has very
Digital disruption and new technology:
In key sectors, the impact of COP26 will be
huge. “For Shell, Powering Progress sets
framework similar dynamics to the
Switching to automatic out our strategy to accelerate the transition
pandemic and the conflict
Shell is developing its management
of our business to net-zero emissions by in Ukraine”
frameworks to enable it to make the
2050. Shell’s current operating plans do
transition to net zero, and Marnoch wants
not reflect our 2050 net-zero emissions
his team to be part of the assurance around
target. In the future, as society moves
PAGE 21 OF 48
6
COP 26 goals, UN Climate Change Conference UK 2021, 2021
7
NEW PROPOSALS FOR EUROPEAN SUSTAINABILITY REPORTING STANDARDS, Accounting for Sustainability, May 2022Contents
Executive summary: Navigating
the perfect storm of high-impact
CLIMATE CHANGE AND
interlocking risks
ENVIRONMENTAL SUSTAINABILITY
Methodology Internal audit’s role Chief audit executives at the Risk in Focus
2023 roundtable agreed that, as well as
Because organisations are at different helping management shape strategies
levels of maturity in their journey to and goals, internal auditors must lead the
Key survey findings way in helping raise awareness and drum
achieving environmental sustainability,
internal audit’s role can be hard to pin up meaningful support for environmental
down with certainty. Those who are unsure initiatives. “Some people will want to just
Macroeconomic and geopolitical risk,
should consult Chartered IIA UK and chase the key performance indicators,
emerging and strategic risk: Auditing
in a time of crisis Ireland’s paper, Harnessing internal audit but others at all levels of seniority really
against climate change risk, which urges believe in the climate agenda,” said one
Climate change and environmental boards to give functions the authority chief audit executive. “Get those people
sustainability: Transition to climate to work at a strategic level on the issue8. involved and set goals from the bottom as
change auditing well as the top of the business to create
IIA Netherlands paper Climate change
and environmental risk9 advises to centre a full process that is driven by those who
Human capital, diversity and talent efforts around assurance on reporting, want to see change happen.”
management: The human factor the risk management of sustainability
Chief audit executives should also ensure
goals and (or) climate-related consultancy
that those team members who are most
where needed. (This risk can be tackled
Cybersecurity and data security: committed to helping address climate
Auditing at the speed of crime by internal auditors in five ways outlined
change issues are assigned key roles in
in the Risk in Focus 2021 special
assignments where feasible. They are more
supplement.10)
likely to challenge management and push
Digital disruption and new technology:
Switching to automatic for internal audit recommendations to
be completed. Assessing the attitudes of
internal audit team members on the issue
can be tested in staff evaluations.
PAGE 22 OF 48
8
Harnessing Internal Audit Against Climate Change Risk, Chartered IIA UK and Ireland, October 2021
9
Climate Change and Environmental Risk - challenges and tools for Internal Audit, IIA Netherlands, 2021
10
RiF 2021 Practical guidance on climate change and environmental sustainability, European Institutes Research Group, January 2021Contents
Executive summary: Navigating
the perfect storm of high-impact
CLIMATE CHANGE AND
interlocking risks
ENVIRONMENTAL SUSTAINABILITY
Methodology Avoiding box-ticking “We can make some big improvements without overloading
and green-washing people as they struggle to cope with various crises”
Key survey findings Moving to a more practical approach not replicate the worst excesses of non-financial reporting standards currently
has thrown up some thorny questions. the culture created by the 2002 available and in development. He sees
For example, attendees at the roundtable Sarbanes-Oxley Act over controls around a parallel with the development of more
Macroeconomic and geopolitical risk,
agreed that there is currently too much financial reporting. That pushed swathes stringent capital adequacy requirements,
emerging and strategic risk: Auditing
in a time of crisis emphasis placed on the important topic of internal auditors into low-level particularly the self-assessment of risks,
of reporting - not surprising given compliance exercises, sometimes at the that arose in the financial services industry
Climate change and environmental regulatory pressures in both the United expense of being able to provide more following the economic crisis of 2007-2008.
sustainability: Transition to climate States and Europe - a key topic in Risk value adding services.
change auditing in Focus 2022. But that leaves open “From that example, it is easy to see
the question of how an organisation’s “It is easy to build a SOX-style system that that it will take time for KPIs around
Human capital, diversity and talent governance model is to work effectively does not help the organisation achieve environmental reporting to make sense and
management: The human factor to integrate sustainability goals without its environmental objectives,” The chief become properly comparable,” he says.
it being relegated to a box-ticking audit executive at an international IT
exercise around regulatory requirements. company says. “There is a risk that there
Cybersecurity and data security: In addition, a separate study by IIA will be many companies who are good at
Auditing at the speed of crime
Netherlands found that measures taken communicating on environmental risk,
to tackle climate change risk range from but poor at managing it.”
Digital disruption and new technology: including the topic in the risk register
(47%) to using KPI’s (41%) – but none of But, he says, chief audit executives must
Switching to automatic
the initiatives were used by over half the accept that it will be a long journey, not
organisations surveyed11. least because the activity is in its infancy.
In his view, the risk of green-washing is
Internal auditors must ensure that their partly an outcome of having relatively
organisation’s basic compliance efforts do low levels of maturity in the
PAGE 23 OF 48
11
Climate Change and Environmental Risk - challenges and tools for Internal Audit, IIA Netherlands, 2021Contents
Executive summary: Navigating
the perfect storm of high-impact
CLIMATE CHANGE AND
interlocking risks
ENVIRONMENTAL SUSTAINABILITY
Methodology Focus on ESG For some organisations, such as banks, “Since every company is making legal,
the business’ own environmental impact voluntary and marketing disclosures in these
Echoing comments made by chief audit is relatively easy to measure in terms of areas, internal auditors need to make sure
executives during the Risk in Focus its infrastructure of buildings and energy that the control processes underpinning what
Key survey findings environmental roundtable, he adds that consumption. More difficult is its risk a company is saying really resonates back to
his recommended approach for internal assessment of the carbon impact related the core strategy,” he says, “because the big
auditors is to consider that Environmental, to loan books, for example - a key risk is that those statements are wrong.”
Macroeconomic and geopolitical risk,
Social and Governance (ESG) really begins third-party risk.
emerging and strategic risk: Auditing
with the “G” of Governance12. In fact, If banks are lending to coal-burning
in a time of crisis
while organisational governance and Linking controls companies on the axis of transition, for
example, they must have policies in place
Climate change and environmental
sustainability: Transition to climate
corporate reporting ranked 10th as a risk
in the Risk in Focus 2023 survey, it ranked to environmental to validate that external business’ carbon
change auditing 2nd in terms of the area where internal strategy transition plan. Internal audit’s role is to
ensure that the bank has robust controls in
auditors spend their time – suggesting
Human capital, diversity and talent many see it as an opportunity to help their “Banks’ policies and philosophies on place around those validation processes.
management: The human factor organisations manage a wide range of financing transition, who you will or won’t
do business with is fundamental,” John The driver that will continue to push accurate
issues, including climate change13.
Devine, risk committee chair for abrdn, reporting beyond heavily regulated industries,
Cybersecurity and data security: “You could say that governance is says. “These decisions are wider than just Devine believes, is shareholder pressure.
Auditing at the speed of crime Proxy agencies, pressure groups and
the mother of all concerns and all climate change, they feed into the entire
solutions,” the chief audit executive ESG agenda.” individual investors, for example, may take a
at an international IT company says. relatively binary view on whether a business
Digital disruption and new technology:
“Good governance will provide the Devine says that because the situation is is meeting its environmental targets, he says.
Switching to automatic
transparency you need to protect you fluid internal audit must adapt its approach Over the past few years, that pressure has
from green-washing. And it also provides accordingly. Irrespective of specific new driven the need for better control processes
assurance to key stakeholders that you are developments, every organisation must to validate information and led, in Devine’s
on the right path.” have a clear strategy, which it can talk view, to the need for the professionalisation
about to investors and “walk the walk.” of non-financial indicators.
PAGE 24 OF 48
12
Internal Audit and ESG Criteria, IIA Spain, November 2021
13
GLOBAL PERSPECTIVES & INSIGHTS - The ESG Risk Landscape, Global IIA, 2022Contents
Executive summary: Navigating
the perfect storm of high-impact
CLIMATE CHANGE AND
interlocking risks
ENVIRONMENTAL SUSTAINABILITY
Methodology Building skills on the specific impact of the business and knowledge to get on top of climate-
on the environment - using, for example, related risk before it is too late.
and knowledge standards such as ISO14001 - at the same
time integrating sustainability issues into
Key survey findings Over and above the necessary technical other audits, where possible. “You could say that
auditing skills, the chief audit executive
governance is the mother
must understand the business, the context For those who have started environmental
Macroeconomic and geopolitical risk, in which it operates, and crucially must auditing, one of the biggest challenges has
of all concerns and
emerging and strategic risk: Auditing
have influence. “The chief audit executive been to up-skill their teams – a difficulty all solutions”
in a time of crisis
must have a seat at the table, be able to for all departments given the struggle to
Climate change and environmental
talk to the CEO, the audit committee, and attract and retain high-quality staff into
sustainability: Transition to climate get things on the agenda and make sure internal auditing, an issue raised by most
change auditing audit’s voice is heard and is listened to,” Risk in Focus 2023 roundtable participants
he says. under all topics covered by this year’s
Human capital, diversity and talent report. Understanding the complex global
While Devine accepts that outside of regulatory landscape and its potential
management: The human factor
larger, multinational industries, chief audit significance for the business can be a
executives do not always enjoy that status, major undertaking and many businesses
Cybersecurity and data security: he says that organisations that want to get seek help from external audit firms and
Auditing at the speed of crime to grips with climate change and broader global consultancies. But it is only half the
ESG issues must give the function the picture. The other is being able to bring
prominence it needs to do its job. in engineers, scientists and other experts
Digital disruption and new technology:
Switching to automatic to help with building subject matter
Chief audit executives at the Risk in Focus
expertise. While some assistance can be
2023 roundtable mostly said they were
found within the business, increasingly
taking a blended approach to auditing
chief audit executives are turning to
particular environmental issues, although
external sources for help to source such
some departments had yet to start
experts. Internal auditors must ensure their
full-scale, real-life auditing. A blended
PAGE 25 OF 48 departments have access to the right skills
approach entails both conducting auditsYou can also read
