Professional Documents
Culture Documents
FOCUS
Hot topics
for internal
auditors
Read more
PAGE 2 OF 42
CONTENTS
3 Introduction: auditing amid rapid change
5 Methodology
42 Appendix
PAGE 3 OF 42
Contents
Introduction:
auditing amid rapid change
INTRODUCTION:
Methodology
Auditing amid rapid change
Organisations and their internal audit functions face a dizzying pace of change and unprecedented
Data breakdown: the survey results uncertainty. The pandemic has destabilised operations and labour, disrupted supply and demand,
and undermined previously sound business models to an extent few would have thought possible.
IT security: response and recovery
With the roll-out of vaccines in the developed world While the economic recovery is promising following
and the return of growth as economies reopened the deepest global recession in living memory,
Rising sustainability regulations in 2021, it may be tempting to see the worst of the businesses are contending with critical supply chain
pandemic as having passed. However, COVID-19 will issues and inflation risks. Production costs have
Accelerated digitalisation and continue to have deep and lasting consequences, a risen at a rate not seen for decades. Businesses are
low-code adoption new reality that organisations must accept. struggling to forecast demand for their products as
virus infection rates and consumption continues to
Workforce fatigue and cultural erosion Large sections of the workforce are reflecting on their wax and wane. This uncertainty and disruption is
futures, seeking new employment to advance careers being felt end-to-end through supply chains.
Pandemic response: organisational stalled by the pandemic or changing course altogether
and strategic resilience by migrating into different sectors. Many countries Last, but by no means least, organisations can no
are witnessing a resignation crisis, staff shortages and longer ignore the climate change and sustainability
Financial risk and the looming
high vacancy rates demonstrating how profoundly the agenda. Those that do not take immediate action
insolvency wave
pandemic has exacerbated the talent management face the genuine risk of extinction. As long-term
Rising inflation and the global risks that existed long before 2020. stewards of capital, institutional investors are
tax clampdown pulling out of companies that are not prioritising
Workforce and labour market disruptions also have the environment or society and failing to make
Climate change and sustainability
major implications for culture. CEOs are having the necessary adjustments to their strategies,
is now a principal risk
to develop a clear vision for the future of their business models and operations.
Supply chain strains and companies, and re-embed core values amid the
the race to flexibility transition to hybrid operating models that balance
remote and on-site working arrangements. They
Health and safety amid the
must reconcile the shifting job expectations and new
continued COVID-19 threat
aspirations of existing and incoming staff with their
corporate strategy and mission.
Appendix
PAGE 4 OF 42
Contents
Introduction:
auditing amid rapid change
Methodology
Contents
Introduction:
METHODOLOGY
auditing amid rapid change
Methodology
13
and strategic resilience
from the interviews has been used to contextualise the
Financial risk and the looming survey results, providing colour and up-to-the-minute
insolvency wave considerations for CAEs, with priority given to new
issues and emerging themes that warrant attention.
Rising inflation and the global
tax clampdown European
This report should not be considered prescriptive, but as
a tool to inform internal audit’s thinking and provide a
countries
Climate change and sustainability
is now a principal risk benchmark against which CAEs can contrast and compare involved
Supply chain strains and
the race to flexibility
their own independent risk assessments.
We also hope that CAEs will use this report as an agenda item
50
in-depth 738
for audit committee discussions and as a sense-checking tool to
Health and safety amid the
continued COVID-19 threat support their internal audit planning and strategy. interviews responses
from CAE
Appendix
members
PAGE 6 OF 42
Appendix
PAGE 7 OF 42
Contents
The risk landscape has shifted over the past year in the eyes of Europe’s CAEs.
Introduction:
auditing amid rapid change
One of the more notable changes which have a human dimension. Human But the real story is that Climate change
observable in the survey data is that capital, diversity and talent management, and environmental sustainability is surging
Methodology
Financial, liquidity and insolvency risk Organisational culture, and Health, safety up the agenda, climbing as many as four
has become less of a priority. However, and security have all gained positions in positions in the ranking and seeing a 41%
Data breakdown: the survey results it’s important to view this in context. In the survey ranking and more of the overall gain in the proportion of CAEs who view
the second quarter of 2020, large swathes vote over the past year. This demonstrates it as a top five risk. Last year 22% of audit
of business activity were shut down and that CAEs are concerned about the leaders had this among their five biggest
IT security: response and recovery
record levels of government stimulus impacts the pandemic and the extended risks; that has risen to 31%. No other risk
were infused into the economy to avert a homeworking period are having on the area has shown a bigger year-on-year
Rising sustainability regulations financial crisis. Consequently, Financial, workforce, including personnel turnover as increase and this is a continuation of a
liquidity and insolvency risk spiked in staff reflect on their careers and reset their trend: in 2020 a mere 14% of respondents
Accelerated digitalisation and priority in last year’s report. aspirations. The implications of a more put climate change among their top five
low-code adoption fluid employment market are likely to be risks. It’s now time to act.
Since then, businesses have weathered felt for some time and these challenges will
Workforce fatigue and cultural erosion a historic recession and may have have to be actively managed.
newfound confidence as growth returns.
Pandemic response: organisational But this macro recovery may be masking Organisational culture in particular has
and strategic resilience unforeseen financial risk. As stimulus seen a 35% gain in the proportion of
is withdrawn over the coming months, CAEs who view it as a top five risk, from
Financial risk and the looming
insolvency wave companies should be liquidity stress 20% to 27%. This is supported by audit
testing and planning for worst case leaders in this year’s qualitative interviews
Rising inflation and the global
tax clampdown
scenarios as the economy remains
sensitive to further shocks and a potential
consistently speaking of their sense that
culture is at risk of eroding—and the 41%
increase
Climate change and sustainability wave of delayed insolvencies. Banks are knock-on effects that this could have.
is now a principal risk now placing increasing demands on their Inevitably, against the backdrop of the
corporate customers to understand their ongoing pandemic, the question mark that in the proportion of CAEs who view
Supply chain strains and exposure to financial risks. remain over emerging variants and the Climate change and environmental
the race to flexibility
return to the workplace, the health and sustainability as a top five risk since
Health and safety amid the
In parallel, a number of risks have come safety of staff, customers and suppliers is last year’s survey.
continued COVID-19 threat further to the fore this year, most of also of paramount importance.
Appendix
PAGE 8 OF 42
Contents
Introduction: Risk trends over time
auditing amid rapid change
40%
Methodology Human capital, diversity an
Methodology
Financial risk and the looming Supply chain, outsourcing and 'nth' party risks
insolvency wave Macroeconomic and geopolitical uncertainty
Organisational culture
Rising inflation and the global
Financial, liquidity and insolvency risks
tax clampdown
Organisational governance and corporate reporting
Climate change and sustainability Communications, reputation and stakeholder relationships
is now a principal risk Fraud, bribery and the criminal exploitation of disruption
Health and safety amid the 0% 10% 20% 30% 40% 50% 60% 70% 80% 90%
continued COVID-19 threat
Appendix
PAGE 10 OF 42
Contents
Introduction: Three years from now European CAEs models and operations—and can articulate
auditing amid rapid change believe that Cybersecurity and data this to investors, governments and the
security will become somewhat less of public—will succeed in the long term.
Methodology a risk, although this is relative. It is still
One fast-track method for achieving these
expected to dominate the risk rankings and
goals is through acquisition. Rather than
any threat mitigation will come from the
Data breakdown: the survey results wholly relying on internal development
fact that businesses are becoming better
and organic growth, companies can buy
equipped at managing and minimising the
innovation, talent and market access via
IT security: response and recovery risk of attacks and data breaches. Other
M&A. For example, the financial services
risks that are expected to abate or come
sector is currently in a state of reinvention,
under greater control include Business
Rising sustainability regulations banks acquiring fintechs to protect and
continuity, crisis management and disasters
grow their market share and maintain
response, Financial, liquidity and insolvency
Accelerated digitalisation and their relevance. In the consumer and retail
risks, and Health, safety and security. All
low-code adoption sectors, companies are scaling down their
three of these have been directly influenced
physical footprints and leaning heavily
by the pandemic and therefore it should
Workforce fatigue and cultural erosion into digital channels, a shift that is
be expected that they will recede in
also being achieved via strategic
due course.
Pandemic response: organisational acquisitions. Consistent
and strategic resilience The biggest gainers over this period with this, the survey
are expected to be Climate change and results show that CAEs
Financial risk and the looming
insolvency wave environmental sustainability, and Digital expect Mergers and
disruption, new technology and AI, both acquisitions risk to
Rising inflation and the global of which are becoming fundamental rise over the next
tax clampdown existential risks. The winners and losers three years.
Climate change and sustainability over the coming years will be defined by
is now a principal risk their ability to adapt to the twin pressures
of becoming digital-first organisations
Supply chain strains and with minimal environmental impacts and
the race to flexibility
best-in-class sustainability reporting and
Health and safety amid the transparency. It is becoming increasingly
continued COVID-19 threat clear that only those who prioritise
sustainability in their strategies, business
Appendix
PAGE 11 OF 42
Methodology
Supply chain strains and Fraud, bribery and the criminal exploitation of disruption
Health and safety amid the 0% 10% 20% 30% 40% 50% 60% 70% 80% 90%
continued COVID-19 threat
Appendix
PAGE 12 OF 42
Contents
The Risk in Focus survey also shows how corporate reporting sees much of internal harness the third line to assess big
Introduction:
auditing amid rapid change closely internal audit’s time, attention and audit’s attention and yet is not viewed as and rapidly emerging risk themes.
resources are being matched to what CAEs high risk. Conversely, Macroeconomic and
Looking ahead three years from now,
consider to be the biggest risks to their geopolitical uncertainty and Climate change
Methodology CAEs expect internal audit’s attention to
organisation. There are numerous reasons and environmental sustainability are viewed
be increasingly directed towards
why these differentials may exist and a as significant risks to the business and yet
Data breakdown: the survey results risks related to Climate change and
direct correlation between risk priority and see limited attention from internal audit.
environmental sustainability, and Digital
time spent auditing should not necessarily This is a major problem.
disruption, new technology and AI. Audit
IT security: response and recovery be expected. Internal audit must be bold. If audit leaders must push for the resources to
However, any gaps could be cause for committees expect the third line to build highly competent and highly relevant
Rising sustainability regulations concern, potentially indicating a lack of concentrate on traditional risk areas that functions that can tackle these shifting
assurance maturity or that internal audit are already well controlled, the business is assurance needs with confidence. This
Accelerated digitalisation and is not pointed in the right directions. For not realising the full potential of internal should be addressed urgently. Waiting
low-code adoption instance, as has been observed in previous audit. In such cases, CAEs must push back until 2025 may be too late.
years, Organisational governance and and educate stakeholders, urging them to
Workforce fatigue and cultural erosion
What are the top 5 risks you expect internal audit to spend 2025
Contents
Introduction:
auditing amid rapid change
IT SECURITY: RESPONSE AND RECOVERY
Methodology
The research data
82% of CAEs say that Cybersecurity and data security is among their top five risks, once again putting it ahead of any other risk type
Data breakdown: the survey results (#1). Not only that, 34% of CAEs say this is their single biggest risk (#1). This coincides with a material increase in cybercrime over
the past 18 months, as criminals have sought to exploit the security weaknesses exposed by operational disruptions.
Contents
Introduction:
auditing amid rapid change
IT SECURITY: RESPONSE AND RECOVERY
Methodology
An internal audit perspective
Every organisation is at a different Once internal audit is confident
Data breakdown: the survey results “You do not know
point in their information security that these foundations have been
journey, therefore internal audit what is happening at
laid, its attention should turn to
IT security: response and recovery must focus its assurance efforts the business’s ability to respond the beginning of the
where they are most needed. and recover. If IT continuity plans ransomware attack,
For the least mature, the third are not well understood by staff the decision-making is
Rising sustainability regulations
line should concentrate on or, worse, there are no plans, difficult, there is time
the foundations: whether the the organisation is exposing
Accelerated digitalisation and
business is properly risk assessing pressure. I’m trying to
low-code adoption itself to unnecessary risk. The
and putting in place hard and soft third line should therefore seek see if we are ready or
Workforce fatigue and cultural erosion
defensive controls. Hard controls evidence that these scenarios not to take the right
include regularly updating are being planned for, including decisions.”
software patches, properly dry run exercises, and that
Pandemic response: organisational
and strategic resilience configuring firewalls and threat there are dedicated cyber crisis CAE, France,
detection systems, and using least management and recovery CAC 40 manufacturer
Financial risk and the looming privilege access and two-factor resources in the business with
insolvency wave
authentication (2FA) to contain clear lines of accountability and
Rising inflation and the global attacks from spreading through timely incident reporting.
tax clampdown the entire network from the
initially compromised computer.
Climate change and sustainability Soft controls centre on the
is now a principal risk
risk awareness throughout the
Supply chain strains and organisation, sound cybersecurity
the race to flexibility culture being a key risk mitigator.
Appendix
PAGE 15 OF 42
Contents
Introduction:
auditing amid rapid change
IT SECURITY: RESPONSE AND RECOVERY
Methodology
An internal audit perspective
Data breakdown: the survey results Questions for internal audit DID YOU KNOW?
The volume of ransomware attacks increased by 150% in
• Does the organisation have a cybersecurity strategy or
IT security: response and recovery 20204, more than any other kind, as criminals have sought
roadmap? How far has the organisation progressed in
to exploit the migration to remote working for financial gain.
achieving this?
Victims also paid 311% more in ransom to have their data
Rising sustainability regulations • Is there a staff awareness and training programme
and systems decrypted by perpetrators over the
in place to prevent successful attacks? Are these
same period.5
Accelerated digitalisation and regularly updated?
low-code adoption • Is a cybersecurity response and recovery plan in place It is estimated that among recent ransomware victims,
and is it tested? 56% recovered their data via system backups and 26%
Workforce fatigue and cultural erosion paid the required ransom to have their data returned.6
• Does the organisation make data backups that it can use
in the event of an attack? How does the organisation know This underscores the importance of response and recovery
Pandemic response: organisational measures. Even paying criminals is a form of response and
that the backups are secure?
and strategic resilience
a route to recovery and if this is agreed policy, it must be
• What is the organisation’s ransomware policy (does it pay
Financial risk and the looming documented and understood by the IT security function the
up or not?) and are people aware of it?
insolvency wave CISO, the rest of senior management and the board.
• Do insurance policies appropriately cover IT security risks?
Rising inflation and the global Is incident reporting likely to be fast enough to meet the
tax clampdown coverage requirements of insurers for successful claims?
Climate change and sustainability • Is the organisation confident that it won’t suffer an attack
is now a principal risk via its vendors or clients? Why is it confident, e.g. are third
parties ISO 27001 certified?
Supply chain strains and
• Does any penetration testing include all areas of the
the race to flexibility
business, including potentially overlooked subsidiaries in
Health and safety amid the non-core markets?
continued COVID-19 threat
Appendix
Contents
Introduction:
auditing amid rapid change
RISING SUSTAINABILITY REGULATIONS
Methodology
The research data
Data breakdown: the survey results The regulatory burden is a perennial risk that stays firmly at the top of business’s risk registers, especially for banks and
others operating in regulated markets. Changes in laws and regulations is among the top five risks for 46% of CAEs this year (#2,
maintaining its position from a year prior but with a significantly smaller share of the vote), though only 8% have it as their number
IT security: response and recovery
one risk (#5). Regardless of their sector, companies should be paying close attention to rising sustainability requirements.
Rising sustainability regulations In November the UK will host the COP26 55% by 2030, and reach carbon neutrality
UN climate summit, world leaders by 2050. The package includes the final
Accelerated digitalisation and convening to discuss how actions can EU Taxonomy Climate Delegated Act, Changes in laws and
low-code adoption be accelerated towards the goals of the applicable from 1 January 2022. The act regulations is among the top
Paris Agreement and the UN Framework is the first set of technical criteria defining five risks for 46% of CAEs.
Workforce fatigue and cultural erosion Convention on Climate Change. Inevitably activities that contribute substantially to
this will mean more policymaking and climate change mitigation and adaptation,
Pandemic response: organisational increased regulations. However, the essentially supplementing the broad
and strategic resilience regulatory train is already in motion. brush framework of the EU’s Taxonomy
Financial risk and the looming
insolvency wave
Global ESG regulations and laws
have grown by 90% since 20167 and
Regulation, which entered into force on 12
July 2020. A second delegated act is due to
46%
policymakers continue to step up their follow in 2022.
Rising inflation and the global efforts. CAEs, ACCS and CEOs in our
tax clampdown The broader package also included
research almost universally spoke of the
Climate change and sustainability increasing regulations their organisations a proposed Corporate Sustainability
Although only 8% of CAEs see it as their
is now a principal risk face, with attention quickly turning to Reporting Directive (CSRD), intended
number one risk.
sustainability reporting. to replace the existing Non-Financial
Supply chain strains and Reporting Directive (NFRD), which is widely and the public can use comparable
the race to flexibility
In April 2021, the EU adopted a package seen as having fallen short of the mark. The and reliable information. Crucially, the
Health and safety amid the of measures as part of its mission to CSRD aims to make sustainability reporting proposal significantly enlarges the scope
continued COVID-19 threat slash greenhouse emissions by at least more consistent, so that investors of the current reporting requirements
Appendix
Contents
Introduction:
auditing amid rapid change
RISING SUSTAINABILITY REGULATIONS
from the 11,000 companies that are “The main thing is around who
Methodology
currently subject to the NFRD to some we lend to. Do we lend on clean
50,000 companies.8 This nearly five-fold
energy? How do we make sure
Data breakdown: the survey results increase in scope is because the rules are
expected to apply not only to every single
that it’s really green? How do
company with tradeable instruments on we aggregate the reporting?
IT security: response and recovery
Europe’s stock and bond markets, but all How do we stress test for
large companies whether they are listed climate risk? There’s a lot of
Rising sustainability regulations or not. Unlike the Sustainability Finance
movement in that space with
Disclosure Regulation, which came into
Accelerated digitalisation and effect in March 2021, these reporting
the new taxonomy.”
low-code adoption requirements are intended to apply across CAE, Luxembourg,
sectors, not just in the investment industry. development finance bank
Workforce fatigue and cultural erosion
While Britain has left the EU, UK
Pandemic response: organisational businesses cannot ignore the rising tide
and strategic resilience of sustainability regulations. As part of its
2020 Roadmap and Interim Report, the
Financial risk and the looming
insolvency wave government intends the UK to become the
first G20 country to make reporting aligned
Rising inflation and the global with the Task Force on Climate-Related
tax clampdown Financial Disclosures (TCFD) mandatory
Climate change and sustainability across the economy, so this is not solely
is now a principal risk a concern for EU businesses.
Appendix
8 Sustainable Finance and EU Taxonomy: Commission takes further steps to channel money towards sustainable activities
PAGE 18 OF 42
Contents
Introduction:
auditing amid rapid change
RISING SUSTAINABILITY REGULATIONS
Methodology
An internal audit perspective
Third lines in banking and insurance companies are now
Data breakdown: the survey results
long familiar with the rising tide of regulation, so, while Questions for internal audit
challenging, these emerging rules are the continuation of
• Is internal audit providing assurance over the translation
IT security: response and recovery a theme. For others, recent cross-sector efforts to deliver
of relevant sustainability regulations into organisational
assurance around GDPR should stand internal audit in good
commitments, policies and plans? Are the plans adequate and
stead for stricter compliance obligations.
Rising sustainability regulations are they being delivered?
The introduction of the EU Taxonomy Climate Delegated Act • Is the organisation aware of its sustainability reporting
Accelerated digitalisation and and the forthcoming CSRD provide greater clarity on what is requirements and is it taking action to address this? Is internal
low-code adoption audit or some independent party providing assurance over
expected of EU companies in their sustainability reporting.
The same is true for UK businesses with the intention of this reporting?
Workforce fatigue and cultural erosion
the UK government to make TCFD-aligned sustainably • Do the data and statements disclosed in non-financial reporting
obligatory. These developments give the third line concrete accurately reflect the activities of the company? Could it be
Pandemic response: organisational
criteria to audit against. reasonably concluded that the company is greenwashing or is
and strategic resilience
it doing what it claims?
Financial risk and the looming While internal audit is not usually directly responsible • How well developed is the governance around sustainability
insolvency wave for compliance, for smaller, less mature organisations it reporting? For example, are roles and responsibilities
may choose to raise flags, highlighting which forthcoming clearly defined?
Rising inflation and the global
regulations may need to be met. For instance, given that
tax clampdown • Does the company have a system of prioritising
the CSRD will capture far more EU companies within its
regulations, whether related to
Climate change and sustainability scope, the third line can bring to the board and senior
sustainability or otherwise, and does
is now a principal risk management’s attention that the first set of standards are
it take an appropriately risk-based
expected in October 2022, with a second set to follow in
Supply chain strains and approach to managing compliance?
2023. For more mature organisations, internal audit will
the race to flexibility
need to assess the compliance function’s work, checking
Health and safety amid the the efficacy of any processes and controls that have been
continued COVID-19 threat modified to deliver on these emerging requirements.
Appendix
PAGE 19 OF 42
Contents
Introduction:
auditing amid rapid change
ACCELERATED DIGITALISATION
Methodology
AND LOW-CODE ADOPTION
Data breakdown: the survey results
The research data
Digital disruption, new technology and AI remains a priority, with 45% of CAEs citing it among their top five risks
IT security: response and recovery (#3, maintaining its position from a year prior) and 8% putting it as their top risk (#4).
The pandemic and its restrictions on allowing businesses to roll out mission- Citizen development helps to address the
Rising sustainability regulations physical contact brought the necessity critical solutions and expand digital shortage of technically skilled workers by
for digital transformation into sharp channels at speed when they were most empowering non-technical employees to
Accelerated digitalisation and focus. Digital laggards were left especially needed. It has been estimated that 64% of build apps that solve immediate problems.
low-code adoption prone as countries went into lockdown, UK software developers increased their use This can help overstretched IT functions
while those that had already executed on of low-code tools in 2020 in response to the unable to keep up with the many demands
Workforce fatigue and cultural erosion their digital strategies were at a distinct global lockdown.9 of the business. The benefits of this should
advantage. Any businesses that did not not be understated.
Pandemic response: organisational previously recognise the need to digitalise Businesses are expected to increasingly
and strategic resilience rely on low-code software development That is the opportunity. The risk is that by
their operations and business models
certainly do now. using tools such as Microsoft’s Power lowering the bar for who can develop apps,
Financial risk and the looming
insolvency wave Platform, Salesforce and Mendix10 to help effectively democratising digitalisation,
Virtually all CAEs, ACCs and CEOs we accelerate their progress. It is estimated the organisation may be increasing its
Rising inflation and the global interviewed flagged the risks and that by 2024, 75% of large enterprises blind spots. Companies may no longer
tax clampdown
opportunities associated with digitalisation will be using at least four low-code have a true picture of the extent of
Climate change and sustainability and the pace of this change as a priority development tools.11 Meanwhile, the global digitalisation within their organisation,
is now a principal risk area of attention. Aiding this digital low-code market is expected to grow by who is responsible for it and where the
acceleration is the use of low-code 22% in 2021, to $13.8bn.12 risks lie. In an effort to drive swift change,
Supply chain strains and development platforms. By enabling digitalisation may proliferate unchecked
the race to flexibility While much of this will be reserved for
developers to create software apps using and key controls may not be paid their due
Health and safety amid the graphical interfaces instead of hand use by IT functions, the rise of so-called attention, increasing security and data
continued COVID-19 threat coding them, low-code has expedited citizen development initiatives shows the privacy vulnerabilities.
digitalisation during the pandemic, opportunity, and the risk, that lies ahead.
Appendix
9 The ‘low-code’ imperative 11 Gartner 2020 Magic Quadrant for Enterprise Low Code Application Platforms
10 Magic Quadrant for Enterprise Low-Code Application Platforms 12 Surge in Remote Development Boosted Low-Code Adoption Despite Ongoing Cost Optimization Efforts
PAGE 20 OF 42
Contents
Introduction:
auditing amid rapid change
ACCELERATED DIGITALISATION
Methodology
AND LOW-CODE ADOPTION
Data breakdown: the survey results
An internal audit perspective
With digitalisation shifting up a gear, the been deployed for years already, such patches, critical updates are not rolled
IT security: response and recovery third line’s first concern should be whether as the use of pivot tables and macros out in a timely manner, particularly if
the business model is being sufficiently in Microsoft Excel to create invoice the organisation loses track of its
Rising sustainability regulations adapted to meet the new digital reality. management systems or Microsoft Access low-code components.
Any evidence identified by internal audit of to run database queries.
competitors innovating in ways that could Internal audit may choose to
Accelerated digitalisation and
low-code adoption threaten the business should be brought to Internal audit should therefore return to independently map all digital projects
management’s attention so that it can take the basics and assess whether any low- throughout the business and check
Workforce fatigue and cultural erosion urgent strategic action. code app development and usage follows that this matches the IT function’s own
the company’s established standards and mapping of current activities. In the
Pandemic response: organisational Turning to the development that is already protocols, including reviews, testing and broadest sense, the third line should check
and strategic resilience underway, the third line can assess staged deployment. IT functions will need that digital projects, big and small, uphold
whether core risk management principles to ensure they know exactly what low-code the same standards expected of more
Financial risk and the looming are being embedded into projects. Of projects are in development and apply traditional projects directly managed by
insolvency wave
particular concern is the widespread appropriate permissions controls so that the IT function, and confirm that there is
Rising inflation and the global uptake of low-code tools. The greater the critical data is not lost or misappropriated. appropriate oversight from the information
tax clampdown adoption of these tools among non-IT What is more, it may be impossible to security team.
personnel, the higher the risk. know exactly what is happening under the
Climate change and sustainability
bonnet of these platforms and whether
is now a principal risk
While this may appear to be uncharted they are inadvertently introducing security
Supply chain strains and territory, low-code and no-code flaws to the organisation. Given that the
the race to flexibility development is a continuation of a theme majority of low-code platforms have third-
that internal audit should already be party integrations, it is possible that, even
Health and safety amid the
familiar with. End-user development has if the platform supplier releases security
continued COVID-19 threat
Appendix
PAGE 21 OF 42
Contents
Introduction: ACCELERATED DIGITALISATION
AND LOW-CODE ADOPTION
auditing amid rapid change
Methodology
Appendix
PAGE 22 OF 42
Contents
Introduction:
auditing amid rapid change
WORKFORCE FATIGUE AND CULTURAL EROSION
Methodology
The research data
Human capital, diversity and talent management is cited by 40% of CAEs as being among their top five risks (#4, up one place from
Data breakdown: the survey results last year), up from 35% in 2021 and 27% in 2020, a clear uptrend. Meanwhile, 27% view Organisational culture as a top five risk (#10,
up one place from last year), a notable year-on-year increase of seven percentage points. As businesses weigh up what working
models to embed post-pandemic, the risks to culture, morale and staff cohesion should not be underestimated.
IT security: response and recovery
The atomisation of organisations in the Businesses may also be overlooking All of this could have negative downstream
Rising sustainability regulations homeworking environment has delivered risks that are less simple to measure. consequences. Culture and closer co-
some unexpected benefits. In Europe, 82% Interviews with CAEs for this year’s Risk working is inextricably linked to factors as
Accelerated digitalisation and of senior executives have reported that in Focus elicited opinions not only on diverse as innovation and conduct. Without
low-code adoption productivity levels either held steady or talent management and skills shortages, open sharing of ideas, the business may not
increased as people migrated to remote but the impact that remote working and be able to as effectively develop products
Workforce fatigue and cultural erosion work and, over half believe that some hybrid models might be having on culture, or new ways of better serving customers.
degree of remote working is here to stay irrespective of any productivity benefits.
Pandemic response: organisational and that it will play a powerful role in If people feel less connected to their
and strategic resilience The lack of social interaction between teammates and are unable to clearly see
retaining top talent.13
colleagues may be eroding team cohesion how their work contributes to the greater
Financial risk and the looming
insolvency wave However, it’s not all upside. Recent and culture. Staff may be losing their good of the company and its purpose, they
research has shown that 47% of UK sense of belonging or becoming fatigued could begin to stray. Disengagement has
Rising inflation and the global employees are less career focused because and disengaged with their work. As the potential to increase fraud and other
tax clampdown
of the pandemic and 40% are concerned effective as online collaboration tools and misconduct as workers lose their sense of
Climate change and sustainability about work-related burnout14, suggesting videoconferencing software have been in loyalty and put their own interests before
is now a principal risk an extended period of staff churn could be keeping the wheels turning and people the interests of their colleagues and the
ahead. Separately, it has been found that connected virtually, there is no substitute company. This may be compounded by
Supply chain strains and globally as much as 46% of workers are for in-person interaction and small talk for limited oversight from management, which
the race to flexibility
considering leaving their employer because fostering creativity, problem-solving and can result in the weakening of the soft
Health and safety amid the they are now able to work remotely.15 keeping the organisation’s culture alive. controls environment and poorer internal
continued COVID-19 threat communications and reporting, increasing
the likelihood of undesirable behaviour.
Appendix
13 Flexible ways of working are here to stay, finds new European 14 Building resilience for the new realities of work
research – with leaders focused on maintaining culture and innovation 15 Microsoft Work Trend Index
PAGE 23 OF 42
Contents
Introduction: WORKFORCE FATIGUE AND CULTURAL EROSION
auditing amid rapid change
Methodology
An internal audit perspective
It may be too early for internal audit to conduct
Data breakdown: the survey results formal assessments of how effectively behavioural Questions for internal audit
and cultural risk is being managed, given the
• What sense is there that the
fluidity of the present situation. However, the third
IT security: response and recovery culture has eroded and integrity
line can get a “feel” for any weakening of staff
has weakened, and is there an “What hasn’t necessarily
morale and motivation and the overall cultural
Rising sustainability regulations health of the company . This can be achieved by
awareness of this within HR, been dissected enough
middle management and
engaging with people on the ground and flagging is what the impact of
senior management?
Accelerated digitalisation and any concerns with the board or audit committee. new working models
low-code adoption • Are efforts being made to promote
the organisation’s core values
will be. There is a big
If companies aim to permanently move
Workforce fatigue and cultural erosion towards hybrid working models, they will and mission? risk that it’s eroding
need to understand what impact this is having • What steps is the organisation taking culture. How do you
Pandemic response: organisational on productivity, innovation and the risk and to check in with staff? Is middle keep the culture alive
and strategic resilience control environment. Once the strategy has management sufficiently attentive when everything’s
been formalised and embedded, internal audit to business teams? Is there anything
Financial risk and the looming remote or hybrid
can begin to think about how to address this. quantifiable to support this?
insolvency wave
One approach would be directly auditing the
and when you’re not
• Is reduced in-person interaction
Rising inflation and the global culture; another would be to assess what HR having a detrimental impact on
interacting in-person?”
tax clampdown and the second line are doing to understand and either productivity (less likely) or CAE, Ireland, travel
address any cultural erosion that’s occurring, innovation (more likely)? How is this operator listed on
Climate change and sustainability
is now a principal risk such as conducting staff surveys and employing manifesting and being measured? Euronext Dublin
behavioural science techniques to determine
• Is staff turnover increasing? How
Supply chain strains and whether workplace incivility and disengagement
the race to flexibility long does it take to fill vacant
is becoming a growing threat to the organisation’s
positions? Is talent management
Health and safety amid the success. Steps will then need to be taken to
to continuously attract and retain
continued COVID-19 threat remedy this and re-establish a sound and
employees working?
healthy culture.
Appendix
PAGE 24 OF 42
Contents
Introduction:
auditing amid rapid change
PANDEMIC RESPONSE: ORGANISATIONAL
Methodology
AND STRATEGIC RESILIENCE
Data breakdown: the survey results
The research data
38% of CAEs consider Business continuity, crisis management and disasters response to be a top five risk (#5), a small gain on last
IT security: response and recovery year (34%). Companies that have succeeded during the crisis period have not only met the short-term challenge of maintaining
continuity, but have responded to the unexpected shocks of the pandemic by developing resilience and refining their strategies.
Contents
Introduction:
auditing amid rapid change
PANDEMIC RESPONSE: ORGANISATIONAL
Methodology
AND STRATEGIC RESILIENCE
Data breakdown: the survey results
An internal audit perspective
CAEs should already have a sense of how audit to opine on any pivots or changes “I will be looking at how the
well their organisations coped with the of course. But the third line should keep
IT security: response and recovery business has bridged any
crisis and whether any shortcomings are its nose to the ground to identify any
well understood by the first and second meaningful changes that could have risk
gaps identified in protecting
Rising sustainability regulations lines. The third line can assess whether implications, develop a view on whether people. I will also look at
lessons are being incorporated into they are working as expected and flag any incident response and how
Accelerated digitalisation and updated BCPs, which should now include concerns with the board and management. we responded through our
low-code adoption future pandemics as possible future This can involve gauging the level of staff
BCP, including whether VPN
scenarios. The ability to anticipate and awareness regarding these changes and
Workforce fatigue and cultural erosion plan for future crises is how organisational whether the strategy is taking root. From
connections for such a wide
resilience is achieved. an upside perspective, internal audit may range of people working
Pandemic response: organisational be able to identify opportunities for further remotely is included in our
and strategic resilience Any sweeping operational pandemic change, such as efficiency improvements plans for other scenarios.”
responses, such as cost-cutting or cost- or operational restructuring.
Financial risk and the looming
conserving programmes, should be CAE, Greece, insurer listed on
insolvency wave
followed up by the first line to determine The main point is whether the business Athens Stock Exchange
Rising inflation and the global whether they are delivering positive has the awareness, processes and
tax clampdown outcomes or need to be reassessed. accountability in place to monitor whether
Climate change and sustainability
Internal audit may support this activity any big changes are delivering their
is now a principal risk with reviews of its own, independently expected benefits. If there is no follow-up
providing evidence of how effective these in the first line then the organisation could
Supply chain strains and changes have been. be setting itself in a direction without a
the race to flexibility
clear view of where it is heading or whether
It is ultimately for the CEO and the rest it needs to rethink its business model or
Health and safety amid the
continued COVID-19 threat of senior management to define and strategy to more effectively compete in the
set the strategy and it is not for internal changing business environment.
Appendix
PAGE 26 OF 42
Contents
Introduction:
auditing amid rapid change
PANDEMIC RESPONSE:
Methodology
ORGANISATIONAL
Data breakdown: the survey results
AND STRATEGIC RESILIENCE
IT security: response and recovery
An internal audit perspective
Questions for internal audit
Rising sustainability regulations
• Has the organisation updated its BCP, incorporating any lessons
learned from the recent pandemic response and taking into
Accelerated digitalisation and
low-code adoption
account future crises as possible scenarios?
• What are the lasting impacts of the pandemic on the organisation
Workforce fatigue and cultural erosion likely to be and are these well understood by the leadership?
• Is the organisation capable of strategically adapting to gain
Pandemic response: organisational competitive advantage?
and strategic resilience
• What strategic pivots and operational adaptations have been
Financial risk and the looming made and are these required for the long term or are they short-
insolvency wave term measures?
• Have any major changes to the business model affected the risk-
Rising inflation and the global
tax clampdown control environment and who is addressing this?
• Are the impacts of any big decisions being monitored and
Climate change and sustainability
followed up on? For example, does senior management have a
is now a principal risk
clear understanding of whether any changes to the strategy are
Supply chain strains and delivering the expected benefits?
the race to flexibility • Were any big decisions based on accurate data and sound
Health and safety amid the
information? Has the data and the business context shifted since
continued COVID-19 threat then, potentially requiring the business to pivot back or in a new
direction again?
Appendix
PAGE 27 OF 42
Contents
Introduction:
auditing amid rapid change
FINANCIAL RISK AND THE LOOMING
Methodology
INSOLVENCY WAVE
Data breakdown: the survey results
The research data
33% of European CAEs view Financial, liquidity and insolvency risk as among their top five risks (#6, down two places), a significant
fall on the 42% who said the same a year ago. However, 10% of the sample consider this to be the single biggest risk to their
IT security: response and recovery
organisation, ahead of every other risk type other than Cybersecurity and data security.
Rising sustainability regulations Unprecedented government stimulus It has been estimated that global financial risks of partner firms’ weakened
has been a godsend for employers and insolvency rates will increase by 13% balance sheets.
Accelerated digitalisation and employees. Furlough schemes and in 2021 compared with 2019 and by as
low-code adoption state-backed bank loans minimised much as 27% in 2022.18 This activity will This should compel businesses to monitor
unemployment and provided companies be concentrated in high-risk sectors their cash flow management, assess
Workforce fatigue and cultural erosion with the working capital necessary to which have been through an extended the creditworthiness of critical business
continue their operations. The effects of hibernation period with cash flows partners, invest in payment monitoring and
Pandemic response: organisational these emergency measures have been slowing to a trickle. Once policy support is recovery capabilities, identify customers
and strategic resilience overwhelmingly positive: administrations eventually exhausted, it will inevitably have that may be at risk of failing to make good
in the UK, for example, fell to historic lows knock-on effects for the banking sector. If on their payments, reduce liabilities and
Financial risk and the looming
during the first year of the pandemic.17 loan defaults rise materially then lenders ensure that any credit insurance policies
insolvency wave
will have to contend with high credit risk are up to date. To understand their
Rising inflation and the global Unfortunately this financial support and weaker profitability. financial strength, businesses should also
tax clampdown cannot last forever. With Europe having be frequently stress testing and planning
coped with successive waves of infections, This contagion can also spread through for worst-case scenarios.
Climate change and sustainability
with the potential for more to follow, value chains. Companies may have
is now a principal risk
financial risk within a number of sectors exercised leniency towards customers for
Supply chain strains and remains at elevated levels. Services, as long as possible. With the pandemic
the race to flexibility leisure, hospitality and travel sectors are having worn on for an extended period,
at the mercy of government policy and, there will be less incentive to offer trade
Health and safety amid the
continued COVID-19 threat approaching two years into the pandemic, credit and payment deferrals. This could
the future of businesses in these industries lead to the insolvency of key suppliers
Appendix is still in question. and clients, exposing businesses to the
Contents
Introduction:
auditing amid rapid change
FINANCIAL RISK AND THE LOOMING
Methodology
INSOLVENCY WAVE
Data breakdown: the survey results
An internal audit perspective
Last year’s Risk in Focus showed that line should therefore confirm that
Questions for internal audit
IT security: response and recovery
CAEs were firmly concentrating on the monitoring of high-value business
financial resilience and liquidity of their partners is in place to minimise the • What is the business’s liquidity risk
organisations, by checking that the likelihood of any unexpected shocks and exposure? Does it have enough cash
Rising sustainability regulations business was doing everything in its that the business’s insurance sufficiently on its balance sheet to withstand
powers to secure payments owed and covers any credit risk. This may also any continued lack of demand and is
Accelerated digitalisation and minimise outgoings. require an independent assurance that there an up-to-date and effective cash
low-code adoption
the business is acting appropriately and management strategy?
Having faced off these short-term within the bounds of its contractual • Are key business partners still being
Workforce fatigue and cultural erosion liquidity constraints, the business obligations, either in negotiating its own monitored and is credit insurance in
may be confident that the worst is costs or chasing up payments. place to cover the potential failure
Pandemic response: organisational over. But financial risks remain high.
and strategic resilience of customers?
Boards and audit committees may seek For businesses that are cash poor,
• Does the treasury or finance function
Financial risk and the looming independent assurance that cash flow internal audit’s attention may be
have clear visibility on what the cash
insolvency wave management remains a priority and is directed at the treasury or finance
needs of the business will be and a
under control, and that efforts are being function to determine the strength of
Rising inflation and the global firm grip on cash management?
made to monitor the situation outside decision-making processes and that
tax clampdown • Is the company making the most
of the business itself. This may require a financing or refinancing facilities have
confirmation from internal audit that the been put in place to optimise the capital of borrower-friendly financing
Climate change and sustainability
is now a principal risk business is using all available internal structure and see the business through. conditions, e.g. by refinancing existing
and external data to assess the situation As the earnings distortion caused by the debts that may fall due soon or
Supply chain strains and securing lower rates? Is a borrowing
as it evolves. pandemic normalises, the third line can
the race to flexibility
assess whether cash flow forecasting is strategy in place?
Health and safety amid the If insolvencies rise in correlation with proving to be accurate again so that the • Does the business have access to
continued COVID-19 threat the withdrawal of government support, business fully understands its liquidity working capital to be able to scale
businesses could find that customers risk exposure as growth returns. operations back up as growth returns?
Appendix are no longer able to pay. The third
PAGE 29 OF 42
Contents
Introduction:
auditing amid rapid change
RISING INFLATION AND
Methodology
THE GLOBAL TAX CLAMPDOWN
Data breakdown: the survey results
The research data
32% of CAEs say that Macroeconomic and geopolitical uncertainty broadly defined is among their top five risks (#7, maintaining last
IT security: response and recovery year’s position), while 10% say it is their top risk (#3). Inflation has spiked with the economic restart and the governments
of the world’s leading economies are training their crosshairs on global corporation tax rates.
Rising sustainability regulations Economies roared back to life in 2021 prices. They hold that this is a temporary Companies will therefore need to keep
following the deepest global recession phenomenon caused by the whiplash effect a close eye on their cost of production
Accelerated digitalisation and since the second world war. This is of the pandemic, as the demand for goods and revenue management to determine
low-code adoption undeniably positive news. However, the and services imploded before resurging in whether recent developments are merely
sharp return of demand is causing prices 2021. By this logic, recent inflation will be a blip, or spell a more fundamental and
Workforce fatigue and cultural erosion to soar, in some cases at rates not seen transitory, normalising as the pandemic lasting macroeconomic pressure.
for over a decade. Annual consumer price abates.
Pandemic response: organisational growth across the eurozone reached
and strategic resilience 1.9% in the year through June 2021, Not everyone agrees. Stimulus has reached Annual consumer price growth
nearly triple the rate a year prior. In epic proportions and the longer-term view across the eurozone reached
Financial risk and the looming is that by printing money at a rate never
the US, the effect has been even more
insolvency wave
acute, inflation increasing by as much seen before, currencies will devalue while
Rising inflation and the global as 5.4% over the same period. Around fiscal stimulus will create demand beyond
tax clampdown
Contents
Introduction:
auditing amid rapid change
RISING INFLATION AND
Methodology
THE GLOBAL TAX CLAMPDOWN
years to formalise and embed. However,
Data breakdown: the survey results G7 tax efforts what is clear is that governments are
highly indebted as a consequence of
At the same time that companies are the pandemic and are under renewed
IT security: response and recovery
facing the prospect of absorbing higher pressure to close public deficits and reduce
costs, the world’s most wealthy nations sovereign debts. A new global tax would be
Rising sustainability regulations are coordinating to introduce a new a further dent to profits at the same time
global corporation tax. The aim is to tax that inflation has the potential to increase
Accelerated digitalisation and multinationals in each country in which overheads and squeeze margins.
low-code adoption they operate, preventing them from profit
shifting to low-tax havens.
Workforce fatigue and cultural erosion “The post-pandemic impact
Two key proposals are on the table:
is probably the most important
Pandemic response: organisational allowing governments to impose levies
and strategic resilience on 20% of the profits companies make in
unknown. I expect default
their country if their margins are greater risk to go up. Inflation risk
Financial risk and the looming
insolvency wave
than 10%; and a tax at 15% of profits is going up and that will
in each country where the company affect businesses.”
Rising inflation and the global operates, regardless of their earnings
tax clampdown margins. It is difficult to know exactly how
CAE, Switzerland,
much more tax companies would pay if insurer and constituent
Climate change and sustainability of the Swiss Market Index
is now a principal risk this global clampdown goes ahead since
companies do not uniformly report their
Supply chain strains and accounts on a country-by-country basis.
the race to flexibility
The proposals may also take months if not
Health and safety amid the
continued COVID-19 threat
Appendix
PAGE 31 OF 42
Contents
Introduction:
auditing amid rapid change
RISING INFLATION AND
Methodology
THE GLOBAL TAX CLAMPDOWN
Data breakdown: the survey results
An internal audit perspective Questions for internal audit
Inflation risk depends on the company company data and benchmarking • Is the business in an industry that is
in question. Companies with strong it against the competition. Treasury especially exposed to inflation, e.g.
IT security: response and recovery
intellectual property are better able to functions may be expected to lock in consumer goods, food retail, transport?
raise their prices to cover the costs of currently low financing rates while they are
• Is senior management having
Rising sustainability regulations everything from raw materials to labour. still available, refinancing any floating-rate
discussions about the potential for
Those with weak value propositions will loans with fixed-rate bonds. Since internal
long-term inflation and what it means
Accelerated digitalisation and be more exposed and may have to absorb audit has a holistic, company-wide view
low-code adoption
for the business? If not, does internal
higher costs. Another consideration is what it is uniquely positioned to determine
audit need to flag this as a potential
will happen to interest rates. If inflation whether disparate functions are taking
Workforce fatigue and cultural erosion
area of concern that requires attention?
persists as the pandemic recedes, central appropriate measures and are
• To what extent are procurement
banks may be forced to tighten monetary effectively coordinating.
Pandemic response: organisational functions factoring rising costs into
policy. This means that, having borrowed
and strategic resilience Global tax risk, meanwhile, is longer term their buying decisions? What actions
through the pandemic to raise cash and
in nature. Companies will not be able to are being taken?
Financial risk and the looming improve liquidity, businesses carrying
insolvency wave large debts could struggle. respond until wealthy nations decide on • Are treasury functions taking full
the next steps to take and governments advantage of borrower-friendly
Rising inflation and the global If in its independent risk assessment take coordinated actions to prevent profit financing conditions to secure low
tax clampdown the third line deems the business to shifting. Boards and senior management borrowing rates?
Climate change and sustainability be exposed, it can assess how well will already be discussing this looming • Is the revenue management function
is now a principal risk understood this inflation risk is and what threat and so CAEs should monitor the assessing any price increases that
the business is doing to combat it. For situation, raising the topic in relevant need to be made in order to maintain
Supply chain strains and instance, procurement functions may seek committees and meetings if it is being and grow profitability without putting
the race to flexibility
competitive sources of supplies and in overlooked. A formal audit programme can turnover at risk?
Health and safety amid the locations closer to the site of production, be developed once it is understood what
• How sensitive will the company be
continued COVID-19 threat thereby reducing freight costs. Revenue changes the company will need to make to
to proposed global corporation tax
managers may have to make product be tax compliant.
changes? Is this being planned for?
Appendix pricing adjustment decisions, analysing
PAGE 32 OF 42
Contents
Introduction:
auditing amid rapid change
CLIMATE CHANGE AND SUSTAINABILITY
Methodology
IS NOW A PRINCIPAL RISK
Data breakdown: the survey results
The research data
Climate change and environmental sustainability is seen as a top five risk by as many as 31% of CAEs (#8, up by as many as five places
IT security: response and recovery from last year’s survey), representing an increase of more than 40% on last year’s survey when 22% of CAEs said the same. In the
space of two years this topic has gone from a talking point to a principal item on risk maps and corporate risk registers.
Rising sustainability regulations
Slashing emissions, adopting green This would not be such an issue if
Accelerated digitalisation and energy sources, moving to more socially companies fully understood their Climate change and
low-code adoption sustainable manufacturing practices and environmental impacts. However, in environmental sustainability
aligning goods and services with society’s many cases businesses have a limited is now seen as a top five risk
Workforce fatigue and cultural erosion values is now a commercial imperative. understanding of the repercussions of by as many as
Businesses are under pressure from a their activities. One CAE confided that
Pandemic response: organisational broad range of stakeholders to make major their company does not understand what
and strategic resilience
urgent adjustments to their strategies and environmental harms may be caused
Financial risk and the looming business models in the transition to a by the synthetic materials used in its
insolvency wave
Contents
Introduction:
auditing amid rapid change
CLIMATE CHANGE AND SUSTAINABILITY
Methodology
IS NOW A PRINCIPAL RISK
Data breakdown: the survey results
An internal audit perspective
Businesses that drag their feet on These goals may include minimising Internal audit’s value also lies in its
IT security: response and recovery
sustainability are jeopardising their environmental impacts such as consultative supporting role. Climate
futures. The third line therefore has an deforestation, chemical waste, greenhouse change and sustainability risks need to
Rising sustainability regulations opportunity to cement its standing and gas emissions and water consumption; become a central theme in corporate
demonstrate its value by “joining the dots” ensuring human rights and the promotion decision-making and CAEs should seek a
Accelerated digitalisation and on this risk. Internal audit can assess what of economic inclusion through the supply seat at the table in strategy development
low-code adoption exactly it is that the company is doing chain; and developing products and meetings. When big decisions are being
to ensure its longevity by aligning its services that do not harm people or made about large capital projects, the
Workforce fatigue and cultural erosion mission, values and strategy with the rising the planet. development of new products or supply
sustainability agenda, then flag any gaps chain management, CAEs should raise
Pandemic response: organisational between the company’s ambitions and Internal audit may choose to carry out their hand if they believe climate and
and strategic resilience its formal audit work through an ESG
what it is doing in practice to fulfil sustainability risks are being overlooked,
those ambitions. lens, scoring auditees using sustainability where possible using hard data or other
Financial risk and the looming
insolvency wave metrics to show how well various functions tangible, objective information to make
At a top level, this should start with and business units perform against the their case.
Rising inflation and the global reviewing what strategic actions are company’s stated sustainability goals. This
tax clampdown being taken by the business, such as may include reviewing risk governance in
Climate change and sustainability establishing clearly defined and actionable the first and second lines, namely seeing
is now a principal risk sustainability goals that are aligned with how clearly defined roles, responsibilities
existing frameworks and guidance such and ownership of the chosen goals and
Supply chain strains and as ISO 26000 and the UN’s Sustainability related risks are.
the race to flexibility
Development Goals (SDGs). This is
Health and safety amid the the company’s roadmap and provides
continued COVID-19 threat something tangible to audit against.
Appendix
PAGE 34 OF 42
Contents
Introduction:
auditing amid rapid change
CLIMATE CHANGE AND SUSTAINABILITY
Methodology
IS NOW A PRINCIPAL RISK
Data breakdown: the survey results
An internal audit perspective
IT security: response and recovery
Questions for internal audit
“Climate impact risk
Rising sustainability regulations
• Is climate change and sustainability central to the is becoming much
company’s values, mission and strategic goals?
more important. The
• Has the business established sustainability goals and
Accelerated digitalisation and semiconductor industry
low-code adoption are these aligned with the UN’s 17 SDGs?20
actually uses quite a lot of
• Is the business at risk of becoming obsolete or facing
Workforce fatigue and cultural erosion reputational backlash for its activities?
energy, not only directly
• Is the business taking climate change and
but throughout the value
Pandemic response: organisational sustainability seriously, for example by investing chain. How much CO2 are
and strategic resilience in projects that will future proof its products the machines we produce
Financial risk and the looming and services? going to use and what
insolvency wave • Is scenario planning being employed to prepare can we do about that?
the business for any climate-related physical and
Rising inflation and the global This will become
political risks that may jeopardise its future?
tax clampdown increasingly important.”
• How valid are the data on which the organisation
Climate change and sustainability models its environmental impacts? ACC, the Netherlands,
is now a principal risk technology company
• What initiatives are there to reduce the organisation’s
Supply chain strains and greenhouse emissions and move away from harmful traded on Euronext
the race to flexibility or unsustainable manufacturing processes or Amsterdam
materials? What progress is being made on these?
Health and safety amid the
continued COVID-19 threat
Appendix
Contents
Introduction:
auditing amid rapid change
SUPPLY CHAIN STRAINS AND
Methodology
THE RACE TO FLEXIBILITY
Data breakdown: the survey results
The research data
The pandemic stress-tested supply chains and many companies may feel like they have come through the worst. As demand
IT security: response and recovery recovers, however, supply chains are coming under immense strain. Just under a third (30%) of CAEs put Supply chains, outsourcing
and ‘nth’ party risk among their top five risks (#9, down one place from last year albeit with a slightly higher share of the vote).
Rising sustainability regulations
Two-fifths of CAEs we interviewed raised acute in the semiconductor industry, where a balancing act. Double ordering today to
Accelerated digitalisation and the issue of supply chain risks, from the shortages have had a cascade effect that stockpile and prevent future shortages may
low-code adoption
simple ability to secure parts and products has hamstrung as many as 169 sectors in cause substantial overshoots, increasing
today through to more forward-looking some way21, from consumer electronics inventory costs.
Workforce fatigue and cultural erosion
considerations, like developing flexibility to car manufacturing. This shortfall
and co-locating suppliers at the site of is expected to last through 2021 and Senior management and the board will
Pandemic response: organisational need to be confident that inventory
production in the context of a pandemic- potentially into 2022.
and strategic resilience
constrained world to reduce transport costs management risks have proper oversight,
Financial risk and the looming and improve supply chain certainty. The V-shaped recovery in demand is that supply chain data and technology is
insolvency wave currently contributing to new inflationary being employed to best effect and that
One thing that recent events have shown pressures (see page 29), but a bigger risk short-term and long-term contingency
Rising inflation and the global
is how supply issues can take months to than rising costs is short supplies of critical measures are being weighed up to ensure
tax clampdown
emerge. Many companies reduced their components causing production delays greater supply chain security and flexibility.
Climate change and sustainability production in 2020 in the face of weakened and lost revenues. If a business is unable This will require a change in mindset, from
is now a principal risk demand, leading their suppliers to dial to secure vital supplies, then it cannot sell prioritising the lowest price for goods
down their own output. Demand jolted its products. Complicating matters is the towards greater certainty and resilience.
Supply chain strains and
back in 2021 as economies recovered unpredictability and unevenness of the
the race to flexibility
creating supply bottlenecks and preventing economic recovery, which is likely to make
Health and safety amid the companies from fully benefiting from the demand forecasting a persistent challenge
continued COVID-19 threat restart. This effect has been particularly for every link in the supply chain. This is
Appendix
Contents
Introduction:
auditing amid rapid change
SUPPLY CHAIN STRAINS AND
Methodology
THE RACE TO FLEXIBILITY
economics, technology, and military
Data breakdown: the survey results Playing politics security. Far from being a temporary
concern, trade wars and the impact of
Geopolitics continue to play into this trend. geopolitics on supply chains will have
IT security: response and recovery
In May 2021, the European Commission to be carefully considered for the
unveiled plans to cut dependency on foreseeable future.
Rising sustainability regulations Chinese and other foreign suppliers in six
strategic areas including raw materials,
Accelerated digitalisation and batteries, pharmaceutical ingredients,
“There are supply chain
low-code adoption
hydrogen, semiconductors, and cloud and issues to think about and the
edge technologies, freezing a long-awaited flexibility to scale up and down
Workforce fatigue and cultural erosion trade and investment agreement. depending on the pandemic
Pandemic response: organisational The power struggle between the US and
and demand. There will be
and strategic resilience China also continues virtually unabated. an increase in sourcing from
Financial risk and the looming
Not only are most of the elevated tariffs nearby countries to reduce
insolvency wave imposed at the height of the trade war supply risk. For companies
instigated by the Trump administration with components coming from
Rising inflation and the global still in place, affecting over half of all trade
tax clampdown
flows between the two countries22, the
different parts of the world,
Climate change and sustainability current administration is stepping up its they are reviewing their supply
is now a principal risk own efforts. The Strategic Competition chains to see how to structure
Act of 2021, which has support from both them for the future, even if the
Supply chain strains and
Democrats and Republicans, defines China pandemic soon passes.”
the race to flexibility
as a competitor in multiple areas, including
Health and safety amid the
ACC, Sweden,
continued COVID-19 threat food retail group listed on the
Stockholm Stock Exchange
Appendix
Contents
Introduction: SUPPLY CHAIN STRAINS AND
THE RACE TO FLEXIBILITY
auditing amid rapid change
Methodology
Contents
Introduction: HEALTH AND SAFETY AMID THE
CONTINUED COVID-19 THREAT
auditing amid rapid change
Methodology
23 The Forever Virus: A Strategy for the Long Fight Against COVID-19
24 Coronavirus vaccines: expect delays
PAGE 39 OF 42
Contents
Introduction: HEALTH AND SAFETY AMID THE
CONTINUED COVID THREAT
auditing amid rapid change
Methodology
Further, new variants such as the “Delta Plus” strain raise more “Health and safety for our
Data breakdown: the survey results questions. It is not clear if future variants will prove to be more
transmissible, more harmful or more resistant to vaccines. What is
business was always of
clear is that SARS-CoV2 will continue to mutate, therefore ongoing paramount importance
IT security: response and recovery
access to mitigative medicines will have a fundamental influence because a lot of things
on countries’ ability to cope. can happen in the
Rising sustainability regulations
This could have serious disruptive effects, especially for
customer journey. The
Accelerated digitalisation and businesses with global footprints and with extensive outsourcing important thing now
low-code adoption to the worst-affected regions in the world and where vaccine in the context of the
access is limited. pandemic is how to ramp
Workforce fatigue and cultural erosion
up. We need to make sure
As lockdowns ease in developed countries and businesses
Pandemic response: organisational determine how to move forward—whether by maintaining that the customers’ trust
and strategic resilience remote working, returning on-site or balancing the two with a is still with us and they
Financial risk and the looming
hybrid approach—human resources functions, health and safety believe that we are doing
officers and senior management will need to remain vigilant. This the utmost to manage
insolvency wave
will require tracking the course of the pandemic and following
this as the business
Rising inflation and the global government guidance or mandates in response to any possible
tax clampdown further waves of infection across relevant geographies. It also picks up again. It is too early to
means being attentive to the needs and psychological wellbeing audit now because plans are
Climate change and sustainability
is now a principal risk of staff. Organisations have a legal obligation to protect their constantly changing. But this is
employees and others from harm, so health and safety will remain on my list for sure.”
Supply chain strains and a prominent risk, even as the pandemic is gradually contained.
the race to flexibility CAE, Germany,
FTSE 100 travel operator
Health and safety amid the
continued COVID-19 threat
Appendix
PAGE 40 OF 42
Contents
Introduction:
auditing amid rapid change
HEALTH AND SAFETY AMID THE
Methodology
CONTINUED COVID THREAT
Data breakdown: the survey results
An internal audit perspective
Companies responded swiftly to protect typically relied on external health and There is also the psychological dimension
IT security: response and recovery
their workforces and customers in 2020. safety auditors for this work and so to consider. HR functions should be raising
The almost seamless transition to contact- internal audit may feel that it is in awareness with staff about how to protect
Rising sustainability regulations free working may have developed a false unfamiliar territory. their mental health. Internal audit may
sense of security. As lockdown measures consider it appropriate to perform a formal
Accelerated digitalisation and are eased and more of the workforce But the third line must now step up to the audit of staff wellbeing for example via
low-code adoption returns on-site, health risks will increase plate. In small organisations this should be an independent survey, although simply
as more people occupy shared physical a relatively simple exercise involving spot checking that HR is sufficiently assessing
Workforce fatigue and cultural erosion spaces. There are simple practical steps checks and assessing staff awareness and and attending to workers’ needs may
that organisations can take like increasing behaviour. For multinational organisations, be enough. The psychological health of
Pandemic response: organisational social distancing, staggering shifts, the third line may seek evidence that personnel may also be something that
and strategic resilience regularly cleaning communal areas, safeguarding measures are being reviewed the third line “picks up” from soft human
improving ventilation, and providing on a risk-based, country-by-country basis. cues as it moves around the organisation
Financial risk and the looming
hand-sanitising facilities, and these basics Going deeper, internal audit can form conducting more technical controls- and
insolvency wave
should already be well covered. If not, the an opinion on how effectively staff and process-oriented audits, in the same way
Rising inflation and the global third line should be raising the flag. customer safety is being risk assessed on that it can check the temperature of the
tax clampdown an ongoing basis, in the context of the organisation’s culture.
While health and safety is a long- business’s various activities and taking into
Climate change and sustainability
is now a principal risk established risk, outside of heavy and account the potential for further waves
extractive industries such as industrial of COVID-19 infections.
Supply chain strains and manufacturing and mining it is not
the race to flexibility something that internal audit has
Health and safety amid the commonly looked at. Companies have
continued COVID-19 threat
Appendix
PAGE 41 OF 42
Contents
Introduction:
auditing amid rapid change
HEALTH AND SAFETY AMID THE
Methodology
CONTINUED COVID THREAT
Data breakdown: the survey results
An internal audit perspective
IT security: response and recovery Questions for internal audit “Health will continue
• Is the health and safety of customers being to be a major risk for
Rising sustainability regulations sufficiently prioritised and what measures the next year at least.
need to be embedded and monitored with the Despite the vaccine no
Accelerated digitalisation and recovery of business activity?
low-code adoption
one really knows for
• What evidence is there that the HR function sure exactly how long
is prioritising the health and safety of staff in
Workforce fatigue and cultural erosion this is going to help
the context of a return to the workplace? Is a
health and safety strategy in place? and it doesn’t offer
Pandemic response: organisational
and strategic resilience • Has there been an increase in staff, 100% protection. There
customer or supplier complaints regarding are a lot of discussions
Financial risk and the looming
insolvency wave
their treatment or concerns over how the about how to keep
business is handling their physical safety and social distancing at
Rising inflation and the global psychological wellbeing?
tax clampdown
the offices. At the end
• Has the organisation already demonstrated
of the day, health
that it can effectively manage this moving
Climate change and sustainability
risk? Is it ready to manage this as business continues to be a
is now a principal risk
activity returns? real concern and
Supply chain strains and
• Is a risk-based approach being applied to the there’s risk of
the race to flexibility
various geographies in which the organisation more contagion.”
Health and safety amid the is present? Are health and safety measures
continued COVID-19 threat
ACC, Spain, property
appropriate to the level of risk in that country?
development company
Appendix
PAGE 42 OF 42
Contents
Introduction:
auditing amid rapid change
Methodology
Health and safety amid the [8] Sustainable Finance and EU [15] Microsoft Work Trend Index [24] Coronavirus vaccines: expect delays
continued COVID-19 threat Taxonomy: Commission takes
further steps to channel money [16] Strategic resilience during the
Appendix
towards sustainable activities COVID-19 crisis
About Risk in Focus
For the past six years, Risk in Focus has sought to highlight key
risk areas to help internal auditors prepare independent risk
assessment work, annual planning and audit scoping. It helps
Chief Audit Executives (CAEs) to understand how their peers view
today’s risk landscape as they prepare their forthcoming audit
plans for the year ahead.