2021 internal audit priorities annual survey
TRANSCRIPT
2021 INTERNAL AUDIT PRIORITIES ANNUAL SURVEYEmbracing the New Now Shaping the Future
Emerging Risk during the New Now
Today’s Audit Leaders outlook is one of reflections on the past - driving new priorities and results, embracing the new now with effective ways of auditing remotely, and shaping the future with more involvement by internal audit in key risk areas.The number one risk continues to be cybersecurity but closely integrated with talent management and workforce changes.
Talent moved six spots up the list of emerging risks to #2 and became a prominent part of the discussion - whether it was about the skills revolution (and the increased need for data analytics and cybersecurity skills) or retention and attraction and managing through the great reawakening.
TOP EMERGING RISKS IMPACTING AUDIT LEADERS Respondents asked to rank top three risks
Similar to the top emerging risks for Audit Leaders, areas of focus for Audit Committees were data privacy/cybersecurity (65%), emerging risk impacting major company initiatives (45%), and regulatory compliance (33%). Of note, is a 19% decrease year over year in operational resiliency as companies transition to a more stable environment during the pandemic.
2021 Internal Audit Priorities Annual Survey – Jefferson Wells | 2
Data Privacy/Cybersecurity
Regulatory Compliance
Major Company Initiatives
TOP 3 AREAS OF FOCUS FOR AUDIT COMMITTEES
Cybersecurity65+35MSupply Chain Disruption/ Third Party Risk26+74M Operational
Resiliency25+75M Fraud Risk16+84M
Financial Instability10+90M Employee
Health & Safety10+90M
Talent Retention & Attraction43+57M Business
Transformation, Digitization, RPA & AI37+63M Regulatory
Compliance32+68MIT Deployment, Strategy and Governance Changes30+70M
65%
30%
10%
43%
26%
10%
37% 32%
16%25%
65%
45%
33%
Talent Management & Workforce Challenges
Our 2020 survey results showed employee health & safety as #2 for top emerging risks. The 2021 survey is still centered on the employee but #2 is now all about retention and attraction. We are in an unprecedented dramatic workforce transformation. ManpowerGroup President, North America, Becky Frankiewicz, recently shared “workers across the country are experiencing a great awakening, expecting more from their lives and from their work.” This is also reflected in our internal audit priorities survey with the three biggest challenges in hiring and retaining internal audit talent being access to technical skillset, the labor market, and compensation requirements.
Organizations would do well to acknowledge workforce changes. Workers want more from work than just a paycheck. New expectations of flexibility, work-life blend, and health and well-being are contributing to a shift in how people participate in work and engage with their jobs. To successfully manage talent, audit leaders will need to prepare to move on from the past and into the future of work.
Internal audit leaders have been successful in creating a positive impact on working methods. The majority of respondents (74%) will implement a hybrid way of working going forward with a combination of remote and on-site. Less than a quarter (24%) are looking to return to a 5-day work week on-site with 2% unsure of how their organization will proceed.
21% of larger audit teams are actively using RPA/AI technology to eliminate the need to hire more resources. Others are challenged with backfilling current openings as volatility in the talent market continues with some employees seeking change and others moving completely out of the workforce. External support continues to be utilized for specialty skillsets such as cybersecurity and data analytics in addition to basic blocking and tackling.
The perceived skills gap centers mainly on data analytics (62%) and cybersecurity (53%) with operational understanding (42%) and soft skills (38%) following closely behind. Analytics is proving the more urgent issue as over two-thirds (67%) are currently using data analytics tools to expedite and support some stage of the internal audit process. There is a lack of data analytics skills and knowledge within audit departments. These skills are difficult to build and retain internally, and the job market is offering little relief.
THREE BIGGEST CHALLENGES IN HIRING AND RETAINING INTERNAL AUDIT TALENTTalent demand and skills requirements will continue to drive the need for additional variable workforce options. Increased demand for maintaining adequate technical skills is causing 49% of audit leaders to depend upon outside support for technical expertise.
Ski
ll Set
Compensation
Labor Market
2021 Internal Audit Priorities Annual Survey – Jefferson Wells | 3
90%9 in 10 audit leaders report their business will have to use external support to execute some portion of their overall audit plan.
Data Analytics62+38M65% Cyber
Security53+47M43%
Operational Understanding42+58M37% Soft Skills38+62M32%
Remote work was seen to be either as effective (61%)
or more effective (18%) than pure on-site work.
1
2
3
Internal Audit’s Role in Cybersecurity
It’s not surprising that for the fourth year running, data privacy and cybersecurity are still top on the audit committee’s agenda and the number one emerging risk for internal audit leaders. =Since the beginning of 2021, high profile cyber-attacks have dominated media headlines. These attacks are growing in amount and complexity, and an organization’s business and reputational risk is at stake. Survey results show the focus of cyber defense within internal audit remains broad; sophisticated scams and malware are a lower concern.
Is this a sign there may be an organizational conflict between internal audit and information security teams around ownership? There may be, but as the third line of defense, internal audit has a fiduciary responsibility to audit the risk.
DRILLING DOWN, WE FOUND THREE KEY OUTCOMES ON HOW INTERNAL AUDIT IS OR ISN’T DRIVING DEFENSE MECHANISMS FOR THEIR ORGANIZATION.
70% of internal audit leaders included cybersecurity in their most recent technology risk assessment, but of particular interest are the cyber defense elements not consistently being assessed independently by internal audit. Interestingly, 6% of respondents do not have any of these elements independently assessed at all. Plus 19% of respondents do not include hosted or cloud-based services in their audit plan.
Over the next 12-18 months, two-thirds of internal audit leaders are taking a proactive approach to identifying weaknesses through an independent attack & penetration review. Internal audit plays a pivotal role to address identified risks.
Most companies are already using established cybersecurity frameworks. NIST, COBIT and ISO are the most widely used, but ISO is losing share. Larger companies favor ISO due to their size and the need to utilize an international standard. Small to mid-size companies have opted for NIST, being more user-friendly and flexible.
2021 Internal Audit Priorities Annual Survey – Jefferson Wells | 4
CYBER DEFENSE ELEMENTS
Password Policies
Data Loss Prevention
Attack & Penetration (External) Assessment
Intrusion Detection
Threat & Vulnerability (Internal) Assessment
Malware Detection
Phishing Program
Social Engineering
62+38DYES64% 7+93F29+71ENO
29%
CONSIDERING7%
24%ISO
50%NIST
Companies rapidly moved into the New Next, embracing digitization, transformation, and the need for improved cyber protection. Results show that audit departments are strengthening their value proposition across the organization by providing expertise from non-audit operational support to RPA/AI implementations.
Social issues, environmental changes, and the need for more effective and transparent governance, has brought ESG to the forefront. Half of companies responding currently assess ESG in some fashion within their audit plan; another 21% are considering adding it to their 2022 plan. Many organizations are committing to more stringent guidelines in these areas, affecting financial statement disclosures and asking internal audit to play a role on governance posture.
Internal Audit’s Strategic Role
2021 Internal Audit Priorities Annual Survey – Jefferson Wells | 5
47% of internal audit departments are reviewing and assessing
operational activities for effectiveness, efficiency, and compliance
Internal audit teams have a heavy role in enterprise risk management with
over 90% involved in the Enterprise Risk Management (ERM) process
Internal Audit plays a heavy SME role in fraud investigations (68%), process improvement
(65%) and IT implementations (60%)
Majority of respondents are involved with RPA/AI implementations either on
pre-or post-implementation, or evaluation of processes with only 27% of internal audit
departments not being involved at all
From a third-party risk perspective, the top 3 areas Internal audit supports are: third-party risk management
issues (57%), SOC reports (55%), and supporting due diligence efforts (39%)
Half of companies responding currently assess ESG activities in their audit plan
with an additional 21% considering adding an ESG assessment to their 2022 plan
60% include cloud-based services in their audit plan for 2022 with an additional 12% considering adding
JOIN THE CONVERSATION ONLINE
linkedin.com/company/Jefferson-Wells-USA
ABOUT JEFFERSON WELLSJefferson Wells delivers solutions and experienced talent to solve emerging challenges in Risk & Compliance, Finance & Accounting, Tax Services, and Business Optimization. Our mission is to deliver value-based client results through the deep expertise and agility of our people. Jefferson Wells is part of the ManpowerGroup family of companies.
To learn more, visit JeffersonWells.com
ABOUT THE RESEARCHReputation Leaders conducted a national study of audit leaders across all industry sectors. Respondents were from organizations of all sizes. Fieldwork took place in July 2021 in the U.S.
SUMMARY
As we turn the corner to 2022, with the end of the pandemic still unknown, internal audit departments must continue to adapt and be agile in their responses to organizational risk, change and uncertainty. Internal audit has proven to operate both effectively and efficiently in a remote environment. Internal audit departments have brought additional value to their organizations, supporting operational initiatives as risk advisors and driving governance in emerging risks such as ESG.
Cybersecurity risks are at an all-time high. Internal audit has a fiduciary responsibility to perform audits in this space independently from the information security group, monitoring the underlying controls and being the third line of defense. 2022 will bring a need to form a more cohesive partnership between these two groups.
The talent shortage, retention hardship, and the skills gap continue to challenge internal audit to match their current capabilities with the priorities of their organization. Reliance on external support to fill skills gap and capacity needs will be required.
Data analytics tools are being used to expedite and support stages of the audit process, and it is perceived this will continue to evolve if the skills gap can be overcome. We see internal audit either investing in talent or using external support in this area.
Change is constant. The digital era will drive audit committees to expect internal audit leaders to increase their impact on strategic company initiatives.