KUALA LUMPUR (Nov 16): Cyberthreats and IT governance are top risk areas for internal auditors to address in their audit plans for 2023, according to Gartner Inc.
In its 2023 Audit Plan Hot Spots Report released on Tuesday (Nov 15), the consulting firm identified the top 12 risk focus areas for chief audit executives (CAEs) to help them identify risks to their organisations and plan audit coverage for the coming year.
Gartner legal, risk and compliance practice vice president Leslee McKnight said cyberthreats remain a perennial concern for CAEs, yet the drivers of this risk have evolved as a result of new geopolitical conflicts and the heightened prospect of state-sponsored attacks.
“Mitigation plans need to be revisited to reflect the evolution of the risk and prepare the organisation to meet increasingly stringent disclosure requirements in the event of a breach,” she said.
Gartner said adjacent hot spots, such as ensuring adequate IT governance and third-party risk management, contribute to a challenging outlook for mitigating the full array of potential cyberthreats facing organisations in 2023.
The firm said while most CAEs indicated they planned to address cybersecurity in their plans next year, only 42% of survey respondents expressed a high level of confidence in their ability to provide adequate assurance in this area.
Gartner’s annual report is based on a survey of 112 CAEs completed in August 2022, additional structured interviews with CAEs and IT audit leaders, as well as data and insights generated from cross-functional Gartner research throughout 2022.
The top risk areas are listed below:
- Cyberthreats
- IT governance
- Data governance
- Third-party risk management
- Organisational resilience
- Environmental, social and governance (ESG)
- Supply chain
- Macroeconomic volatility
- Workforce management
- Cost pressures
- Culture
- Climate degradation
McKnight said rethinking resilience is a key theme that underlies a diverse set of risks facing organisations in 2023, including economic volatility, climate degradation and third-party risk management.
“Currently less than one third of audit leaders are highly confident in their team’s ability to provide assurance over organisational resilience risk, and more concerning, less than half plan to cover organisational resilience in audit activities in the coming year,” she said.