https://www.corporatecomplianceinsights.

com/why-2019-could-be-a-challenging-year-for-internal-
audit/

Why 2019 Could Be A Challenging Year

For Internal Audit
Posted on November 13, 2018 by Malcolm Murray

External Threats Loom Large

With 2019 planning on the horizon, audit teams are beginning to consider external factors that
threaten to disrupt the success of their organization’s key objectives. Gartner’s Malcolm
Murray, Rafael Go and Leslee McKnight analyze 11 key risks, connected by four major risk
themes, that can help audit teams more effectively identify risks to their organization and their
impact on the audit function and their stakeholders.
with co-authors Rafael Go and Leslee McKnight
Ongoing favorable macroeconomic conditions have enabled organizations to continue pursuing
growth strategies, adopting technologies such as RPA and cloud, engaging in extended M&A
activities and expanding into foreign markets. To provide effective assurance over all these new
initiatives, risks that are more strategic and technical in nature are increasingly being included on
audit’s radar, expanding its breadth of risk coverage.
Each year, Gartner creates our annual Audit Plan Hot Spots report by combining input from
interviews and surveys with over 200 chief audit executives (CAEs) from across our global
network of client organizations, as well as extensive secondary literature reviews. This year, we
discovered four key trends underlying the risks expressed by CAEs as being critical to guide
their audit planning for 2019.

Theme 1: The Strategic Importance of Data

A growing number of organizations are using data as the basis for their business strategy and to
improve customer experience. Data is also critical to the implementation of transformative
technologies like robotic process automation (RPA) and artificial intelligence (AI). While
harnessing data can be a source of competitive advantage, with big data comes big risks in terms
of data quality, protection and responsible use. The following risks form a large component of
the following hot spots this year:
Data Governance
Most organizational data is riddled with errors, so business decisions are often made using low-
quality data. To reduce misguided decision-making and increase data-use efficiencies across the
organization, data governance is paramount, yet most organizations lack data governance
frameworks or are facing implementation challenges that severely hamper their ability to unlock
the big data’s potential.
Data Privacy
With the increase in new regulations and public scrutiny of organizations’ mishandling of data,
data privacy is a top concern for organizations across the board. Security threats continue to
grow —evidenced by the rise in data breaches — exposing organizations to regulatory fines and
sanctions, as well as a potential loss of customers due to a lack of trust in organizations’ data
protection capabilities.
Ethics and Integrity
As organizations race to implement new technologies, consideration of bias and ethics in digital
initiatives often takes a back seat. However, regulators and consumers alike are starting to
demand more accountability for ethics and integrity from organizations, forcing them to rethink
whether and how they should be leveraging digital capabilities.
Audit can help the organization tackle data-related risks by participating in relevant working
committees to provide input as governance frameworks are being built and conducting assurance
projects around data usage, access, classification and training.

Theme 2: IT Vulnerabilities
The growing complexity of organizations’ technology infrastructures and increased use of new
technologies — such as chatbots and the internet of things (IoT) — expand access points into the
organization. Many of these technologies go unmonitored or are slow to be patched. The
growing use by threat actors of advanced tools such as AI increases potential attack points and
the frequency of attacks. Reliance on IT systems also makes them more susceptible to outages
and downtime, which most organizations experienced at least once in the last year. Such outages
can cripple productivity, reduce revenue and damage the organization’s brand. To protect the
advantages that technology offers, organizations must overcome the following hot spot risk
areas:
Cybersecurity Preparedness
Cyberattacks are a reality for almost all organizations and result in significant financial loss,
reputational damage and potential compliance issues. As threat actors continue to multiply and
new technologies broaden the organization’s attack surface, cybersecurity preparedness is
critical.
Cloud Computing
Seeking cost savings and efficiencies, more organizations are moving significant amounts of data
and processes to the cloud, including sensitive and highly valuable information. With limited
visibility into cloud providers’ activities and a multitude of cloud applications being used
throughout the organization, cloud computing poses significant risks, such as data loss, outages
and inappropriate data access.
There are several activities audit departments can perform to provide assurance over IT
vulnerabilities, including assessing encryption, patch and vendor management and checking IT
controls such as policies on privileged user accounts and cloud application security
configurations.

Theme 3: Cost and Growth Pressures

Organizations face growing challenges to their business models from disruptive competitors.
Consequently, organizations are rapidly undertaking more digital transformation projects,
expanding into new sectors and markets and redesigning business strategies to keep pace.
However, in seeking cost efficiencies and adopting new growth strategies, organizations need to
be wary of weakening the control environment or deprioritizing governance and oversight. In
addition, organizations must ensure that they have the workforce needed to meet their changing
business objectives and strategies. Dependence on these new business strategies can manifest in
the following risks:
Third Parties
As organizations look to maintain competitiveness and relevance in the digital marketplace, they
are expanding their reliance on third parties. The interconnectedness of these relationships — as
more businesses pursue ecosystem business models and third parties increase their own reliance
on partners — amplifies operational and regulatory risk exposure.
Digital Business Transformation
Organizations are undergoing significant digital business transformation. These large
undertakings are often executed rapidly, creating significant risk. These risks include reduced
governance and oversight, as well as unintended consequences of increased fraud and potential
resource waste.
Strategic Workforce Planning
Quick adoption of emerging technologies and automation creates uncertainty in determining the
talent needs for achieving business objectives. Similarly, the broader use of data analytics and
growing cybersecurity threats increase the demand for more technical talent, which can be hard
to find and recruit. Combined, these factors make long-term strategic workforce planning
exceedingly difficult.
For these risks, audit should conduct assurance projects focused on vendor and supplier
contracts, improve governance of digital and automation projects, perform skills assessments and
align the frequency and extent of updates to strategic assumptions.

Theme 4: Shortened Planning Horizons

Uncertainty and volatility have been prevailing features of 2018 and are likely to also be for
2019. The number of disruptions threatening business operations continues to grow, while many
important policy questions remain unresolved.
Instability around the globe could precipitate economic decline and increase regulatory
fragmentation. Growing scrutiny from both regulators and the public have forced organizations
to consider accountability for their actions and rethink certain practices. All of these factors can
make it harder for organizations to anticipate what needs to be included in scenario planning
exercises, as well as to develop long-term strategies in a seemingly unpredictable environment.
From this, the following risks emerge:
Regulatory Uncertainty
The volume and complexity of regulations organizations must comply with are mounting. More
regulatory scrutiny in established areas, combined with regulatory uncertainty in new areas, like
the digital economy, make it difficult for organizations to form long-term strategies and meet
compliance requirements.
Operational Resilience
The number and scale of both internal and external factors that can disrupt business operations
are ever increasing, yet many organizations are ill prepared to maintain critical business
operations in the event of a disruption. Changing economic conditions and limited risk awareness
can challenge operational resilience, eroding business value and competitiveness as
organizations are unable to adapt and respond to changing conditions.
Trade and Tariffs
The global trade system faces the highest level of uncertainty in decades, and imposed and
impending tariffs threaten organizations, supply chains and growth strategies. While the current
volatility in the geopolitical environment raises uncertainty surrounding trade and tariffs, many
organizations have already started feeling the consequences of trade restrictions.
Audit can help the organization mitigate these risks by reviewing the frequency of and inclusions
in scenario planning, assessing the organization’s risk awareness and tolerance and evaluating
the organization’s mechanisms for monitoring change in the regulatory and economic
environment.

Internal Audit’s Challenge

Across 2019, it will be critical for organizations to manage these 11 risks. To do so, audit must
provide assurance over perennial as well as new, increasingly dynamic risks, requiring the
function to adapt its approach while maintaining its objectivity and independence.

Malcolm Murray
 Malcolm Murray is Research VP and Fellow at Gartner. He works with
heads of Audit at Fortune 500 companies to better leverage data analytics, automation
and other assurance functions to drive actionable change within their organizations. A
Chartered Financial Analyst, originally from Stockholm, Sweden, Malcolm holds an
M.Sc. in Business and Economics from the Stockholm School of Economics, an MBA
from INSEAD and a Master of International Management from HEC in Paris.