The big picture
For CAEs, 2023 is shaping up to be a year fraught with significant risk.
- These views are sharpening further in light of continued unevenness and unpredictability in global markets.
The bottom line
CAEs must equip themselves to navigate today’s challenges and provide critical insights to executive management and the board of directors. Key risks CAEs are focusing on to ensure that they are delivering value to their organizations and elevating their relevance with key stakeholders include:
- Economic conditions: One of the biggest challenges for CAEs is supporting their organizations in navigating a tough economic landscape. They need to stay up to date on these factors and align their internal audit activities to the most critical and prevailing risks.
- Talent and culture: Attracting and retaining top talent is critical in a highly competitive recruiting landscape. This is particularly true in internal audit, with the compounding pressures of significant demand for talent with risk and control skill sets and the ever-evolving set of topics that internal auditors are expected to have knowledge of and capability to assess.
- Cyber threats: CAEs play a critical role in ensuring that their organization’s cybersecurity programs are risk-aligned and effective. This includes evolving the nature and scope of cyber-related audits to keep pace with the risk, threat and vulnerability landscape.
- Supply chains: From an internal audit perspective, there are numerous concerns about supply chains, including sustainability and compliance with country or regional regulations.
Read more below.
For chief audit executives (CAEs), 2023 is shaping up to be a year fraught with significant risk. Even for a group that is understandably risk-averse in their role as a strategic adviser, they still see high levels of uncertainty in the market, according to the CAE results from the latest Executive Perspectives on Top Risks Survey from Protiviti and NC State University’s ERM Initiative. These views, first shared in the fourth quarter of 2022 (see results above), certainly are sharpening further in light of continued unevenness and unpredictability in the global economy.
With economic conditions, talent and culture, and cyber threats evolving rapidly, combined with ongoing supply chain concerns, CAEs must equip themselves to navigate these challenges and provide critical insights to executive management and the board of directors.
As the year and business outlook continue to unfold, here are some key areas that CAEs should focus on to ensure that they are delivering value to their organizations and elevating their relevance with key stakeholders.
One of the biggest challenges for CAEs in 2023 is supporting their organizations as they navigate a tough economic landscape. While the global economy is expected to continue its recovery from the pandemic, uncertainties remain around inflation, interest rates and the growing potential for a downturn. Factors expected to affect the economy in 2023 and beyond include but are not limited to geopolitical tensions, natural disasters, fiscal and monetary policies, shifts in consumer behavior, and potential cooling in some parts of the labor market. CAEs will need to stay up to date on these factors and align their internal audit activities to the most critical and prevailing risks.
One way CAEs can address these challenges is to ensure that their internal audit functions continue to grow their maturity in Next-Generation Internal Audit practices and competencies. From aligned assurance and agile audit approaches to increasing use of data, analytics, AI tools and enabling technologies to dynamic risk assessment approaches and a focus on impactful communications, internal audit teams will deliver greater value to their stakeholders by identifying and communicating potential risks and vulnerabilities at the speed at which they arise and before they become critical issues.
Of note, we explore these areas further in our latest Next-Generation Internal Audit Survey and accompanying report, Achieving Audit Relevance.
Talent and culture
The ability to attract and retain top talent today is critical for any function in the organization. This is particularly true in internal audit, with the compounding pressures of significant demand for talent with risk and control skill sets and the ever-evolving set of topics that internal auditors are expected to have knowledge of and capability to assess. Amid persistently low unemployment rates and challenges to bring in the right people, CAEs must be able to create a culture that fosters a positive work environment and employee engagement. This includes providing opportunities for career growth and skills development.
CAEs must also be attuned to the changing demographics of the workforce. Many employees today have markedly different expectations around work-life balance than we experienced just a few years ago. There are also very different expectations around the use of technology, work that is more directly aligned with professional and personal interests, skill-building opportunities, and working with a sense of purpose, impact and belonging. All of these factors necessitate a rethink around talent management strategies. Working in partnership with HR and other teams focused on people and culture are key.
Cybersecurity is a perennial concern for businesses. The frequency and complexity of cyber attacks are increasing, along with the threat and vulnerability landscape. As technology continues to advance, cyber criminals are becoming increasingly sophisticated in their tactics. Organizations must be prepared to respond quickly and effectively to mitigate the impact of these attacks.
CAEs play a critical role in addressing cyber threats by ensuring that their organization’s cybersecurity programs are risk-aligned and keeping pace with evolving cyber risks and are designed and operating effectively to sufficiently mitigate risk. Internal audit leaders need to challenge themselves and their teams as to whether their planned internal audit activities include and address cyber risks the organization is facing. They also must assess whether the scope and nature of the reviews are evolving and whether the cyber audit plan is progressing from periodic vulnerability assessments and penetration tests to reviews that are broader in scope and nature (e.g., ransomware preparedness, privileged access management, internet of things [IoT] review and supporting the performance of cyber risk quantification).
Supply chains continue to be a key area of risk for businesses. Globalization has made supply chains more complex than ever, and businesses need to be prepared to deal with a wide range of potential disruptions that can result from geopolitical tensions, changes in trade policies, natural disasters and more. From an internal audit perspective, there also are numerous concerns about supply chains, including sustainability and compliance with country and regional regulations. In addition, as more organizations shift away from efficiency-based supply chain models (low-cost and just-in-time) to revenue assurance models that emphasize flexibility and resilience, it also changes the organization’s risk profile and, in turn, influences the annual audit plan.
Economic conditions, talent and culture, supply chains, and cyber threats are just a few of the key areas that CAEs must address to ensure that they are providing value to their organizations. By prioritizing Next-Generation Internal Audit competencies such as dynamic risk assessment, advanced analytics, agile auditing, impactful communications, coordination and alignment with other assurance functions, and people and skills development, CAEs can elevate internal audit’s relevance by helping their organizations navigate these challenges and achieve their strategic goals and objectives.