Regular readers of my blogs will know that I frequently share highlights from new research or thought leadership that sheds light on the trends and outlook for internal audit. In addition to sharing reports by others, I also work with AuditBoard to articulate our perspectives on the ongoing challenges and opportunities facing the internal audit profession.

This week, we released our latest report: 2023 Focus on the Future – Internal Audit Must Accelerate its Response in Addressing Key Risks. The report is based on a survey of audit leaders conducted in September and October 2022, and reveals a lack of alignment between top risks facing businesses and the level of effort internal audit is putting toward those vulnerabilities. And, despite repeated signs of a looming economic slowdown that could further impact businesses in the year ahead, internal auditors are generally optimistic about their budgets and available talent, though they acknowledge the challenges that current resource levels present in the face of mounting uncertainty.

Our latest survey finds consistency in risk assessments from surveys conducted earlier in 2022 and in 2021, opportunities to better level-set efforts, continuing shortfalls in talent and resources, and perhaps too much dependency on the judgment of others rather than from within.

In the report, we offer extensive data and several interesting observations:

·       CAEs see cyber and talent as the top risks between 2023-2026. Cyber/data security and talent remain the top risks facing organizations, with over 80% of respondents seeing cyber/data security as a “very high” or “higher than average” vulnerability, and nearly three of four responding the same for talent. Macroeconomic conditions, supply chain/outsourcing/third parties, and regulatory changes present persistent challenges for business. ESG is one of the fastest-growing surveyed risk categories over the last year, and two-thirds of respondents report that an aspect of ESG is a top risk in 2023.

 ·       There’s a troubling lack of alignment between audit effort and the risks organizations are expected to face in the years ahead. The projected internal audit level of effort for 2023 does not always align with projected risks. The three key areas where the gap between anticipated risk level and planned audit effort is the most substantial are: the ability to attract and retain top talent, with 77% rating it a critical risk while 16% are dedicating substantial resources to addressing the risk; macroeconomic factors and geopolitical uncertainty (69% rate it a critical risk, while 13% plan to dedicate substantial resources); and business model disruptions due to an evolving digital risk landscape (50% rate it a critical risk, while 20% plan to dedicate substantial resources). Respondents most frequently point to inadequate resources as the primary reason for differences between risk level and effort, though many appear comfortable with staffing and budgets heading into 2023. 

·       Missed opportunities abound when it comes to continuous risk monitoring. Nearly nine of 10 respondents look more to other risk-related functions to monitor risks than to their own independent efforts to gather data and assess risks objectively. Internal auditors are not taking full advantage of all the risk monitoring methods available to them.

·       There may be misplaced optimism when it comes to resources and talent. 53% of respondents expect their budgets to increase in 2023, while 39% expect staffing to also improve. In contrast, over half of respondents acknowledge having less resources than they believe are needed to address risks in their organizations. Even where respondents see increased resources, they admit it’s not enough.

As I note in the report, headlines in 2022 have read like history books. As the year ends, inflation is soaring around the world while signs of economic downturn abound. The possibility of stagflation — where inflation and recession coexist — is but one of many signs of uncertainty our organizations face in the year ahead. War in Europe has exacerbated fuel prices and supply chain, cyber, and third-party risks that were already creating disruption. Equity markets are on a perpetual roller coaster, propelled by Wall Street’s day-to-day swings between pessimism and optimism.

Yet, internal audit functions appear to be coasting in increasingly turbulent times, exhibiting a calm that may be masking challenges in preparing for and, importantly, addressing existing and emerging risks. Frankly, 2023 may present more challenges than internal auditors think.

The AuditBoard report is rich in data and there is no way to recap all of the content in a short article. Please check out the full report and I welcome your thoughts in response to this blog post.