Our current report addresses some well-known risks, such as cyber-security and third parties, but also highlights gaps in companies’ control environment such as inadequate risk management and insufficient crisis response management that may create real blind spots for companies. Not only do we see changes in the corporate risk landscape, perhaps more importantly we see organizations, despite their best intentions, struggle to maintain effective controls in light of rapid business and regulatory changes.
Audit Plan Hot Spots for 2014:
- Compliance Management
- Cybersecurity: Malicious Insiders
- Risk Management
- Cybersecurity: Malicious Outsiders
- Emerging Markets
- IT Governance
- Third-Party Relationships
- Project Management
- Intellectual Property
- Crisis Response Management
Audit executives have told us that the accelerating pace of business change and intensifying regulatory scrutiny are the key risk drivers that will affect firms over the next 12 to 24 months. Hence, many audit executives are skeptical about management’s ability to adapt their control environment to these changes, with 87% of them reporting at least one or more significant risk events over the past two years.
To help you understand the nature and potential impact of this year’s 10 hot spots, CEB organized them under the following four themes:
1. The Downside of Business Interdependence
Marketplaces no longer operate exclusively from one another; businesses increasingly rely on interconnected webs of stakeholders to drive performance, and new technologies have made companies both hyper-connected and hyper-transparent. The negative consequences of this new interdependence emerge in a few areas:
- Malicious attacks by outsiders, including hacktivists, criminals, and state-sponsored groups, have reached alarming levels and inflict significant economic harm. In 2013, 92% of all significant data breaches were the result of malicious attacks perpetrated by outsiders.
- Disruptions caused by third-party breakdowns in compliance, safety, or services have an almost instantaneous impact on companies’ performance. Gaps in independent audits of third parties often give companies a false sense of security about the effectiveness of supplier or vendor controls.
- There is a growing mismatch between existing crisis response plans and the speed by which crises spread and are magnified through social media.
2. Balancing Business Control and Value Creation
As executive teams seek new avenues for growth amid significant economic uncertainty and regulatory scrutiny, they must become more adept at making risk-adjusted decisions that balance business value with effective internal control. This friction is clearly evident in three areas:
- The size, diversity, and volume of business projects have increased, growing tension between business stakeholders that have conflicting risk-taking and risk-avoidance goals. As a consequence, as many as 30% of projects are troubled at some point during their delivery, raising the importance of strong project management capabilities.
- Emerging market risks may be more acute now than ever as a series of high-profile corruption scandals in 2013 among other risk events have revealed weaknesses in local control and oversight at a time when growth projections for the BRICS and other countries seem to be dimming. Sixty-seven percent of surveyed respondents indicated that bribery and corruption were commonplace within their emerging market operations.
- Information technology has become the central nervous system in business today—supporting the flow of information that drives effective decision-making and enables core business processes. Effective IT governance is now paramount to manage information risk but often consists of an outdated patchwork of overly strict and poorly coordinated approaches and controls that can threaten companies’ ability to compete.
3. Embedding Compliance and Risk Discipline into the Business
The increase in complex and competing regulatory requirements is posing a formidable operational challenge for many companies. Firms must not only prepare for more regulatory enforcement but also become more agile in adapting their business practices to meet new compliance obligations. Key issues in this theme include:
- Effective global adoption of rules and regulations not only demand in-depth legal expertise but also call for world-class compliance management capabilities to reconcile conflicting regulatory requirements and operationalize new standards.
- Increased risk volatility has driven many companies to adopt formal enterprise risk management (ERM) programs to better coordinate and respond to new risks. These programs are still maturing across companies and firms continue to struggle to integrate risk discipline into corporate practices and management cultures.
4. Blind Spots inside Our Organizational Perimeter
Significant enterprise focus on installing better controls to keep out external attackers needs to be balanced with a greater focus on internal, sometimes less-visible risks. Insider threats can inflict significant harm on corporate performance and reputation. Key issues in this theme include:
- Incidents involving malicious insiders have dominated headlines this year and are on the rise. The number of incidents instigated by malicious insiders has doubled from 24% to 48% over the past 12 months, often caused by poor access controls and ineffective background checks of third parties. The malicious insider risk can be especially severe when insiders target intellectual property.
- Intellectual property protection is increasingly critical to sustained advantage in a fast-moving and global economy in which competitors quickly mimic successful business practices and products. Unfortunately, the theft of IP assets is estimated to cost Western companies more than $640 billion per year. Despite this, many companies have weak IP defenses and do not keep up with growing IP protection standards across the globe.
Preparing the enterprise to effectively respond to these 10 hot spots will be essential to securing strong performance with minimal disruption. In particular, audit executives and other assurance professionals in risk, legal and compliance functions should make management more responsive owners of these risks by designing policies, training and other controls that are usable and applicable during day-to-day work.