The coronavirus pandemic has dramatically altered the risk landscape for chief audit executives and audit departments by exacerbating long-standing risks while giving rise to new ones, a new report by research and advisory firm Gartner finds.
Based on input from interviews and surveys from across its global network, Gartner’s annual “Audit Plan Hot Spots” identifies and analyzes the top risk areas facing audit departments in the year ahead. “While the pandemic has created new challenges for audit executives to grapple with, what’s most notable is how the current environment has accelerated existing risk trends,” said Leslee McKnight, research director for Gartner’s audit practice.
“The volatility and interconnectedness of the two most important risks—IT and data governance—also shines a light on the importance for firms to rethink their risk governance,” McKnight said. “Audit leaders should apply dynamic risk governance in order to rethink their approach to designing risk management roles and responsibilities.”
The top three risk areas on this year’s list are the same identified on last year’s edition. What is dramatically different, however, are the drivers for each one, as described in more detail below.
IT governance. In 2020, challenges around robotic process automation was listed as a top driver of IT governance, whereas in 2021 those drivers have shifted to the “rapid adoption of new technologies” and “access management challenges.”
In its report, Gartner offers several recommendations for auditors, including:
- Conducting advisory reviews for all IT projects, systems, and application implementations and assessing where new controls are needed;
- Determining the IT department’s plans for rapidly adjusting in times of crisis by reallocating staff and funds to support priorities; and
- Determining whether IT monitoring and reporting enables proactive response and preparation in advance of spikes in incidents.
According to the Gartner report, 62 percent of 94 total respondents said they are “highly confident” in audit’s ability to provide assurance over IT governance risk. Only 2 percent said they were not confident.
Additionally, when asked whether they have plans to cover IT governance in audit activities over the next 12 to 18 months, 65 percent said “definitely,” while 35 percent answered “tentatively.” Five percent said they currently have no plans.
Managing access rights for remote workers also presents new IT governance risks. Gartner recommended reviewing access management policies and controls for granting system access and user privileges. “Assess whether access rights are granted based on defined business needs and job requirements and are terminated in a timely manner as employees leave the organization or change roles, and administrator privileges are minimized,” the report states.
Data governance. As organizations continue to struggle with implementing and enforcing their data governance frameworks, the pandemic has exacerbated those risks by forcing organizations to collect even more sensitive personal information on their employees and customers than ever before. “Yet, data governance practices are regressing, with fewer dedicated resources to data privacy than in previous years,” according to Gartner.
The data environment is also growing increasingly complex. “Growth in software-as-a-service (SaaS) and delays to upgrading legacy systems have created work environments where data is distributed across disparate platforms, software, and servers,” according to Gartner. “Such complexities continue to test audit executives, with only 45 percent expressing high confidence in their ability to manage data governance risk.”
Cyber-vulnerabilities. The coronavirus pandemic has also heightened the risk of cyber-vulnerabilities. Specific risk drivers in this area to watch for are magnified gaps in security controls due to more employees working remotely and employees being more vulnerable to social engineering attacks.
“The pandemic is forcing many audit and risk executives to address their organization’s deficiencies in the most critical areas,” McKnight said. “Inadequate data governance and IT security practices will have even steeper consequences in the current environment than pre-pandemic, particularly when considering the types of data many organizations feel compelled to collect as a result of new health and safety measures.”
New risk areas
The report describes other audit risk areas in 2021 that did not make the list last year, including talent resilience. “Increased uncertainty, stress and the pressures of working from home are testing employees’ ability to adapt and remain productive, increasing the risk of change fatigue,” Gartner noted.
To mitigate this risk, Gartner recommended the following proactive measures:
- Assess practices for identifying and responding to signs of employee disengagement.
- Review progress on proposed learning and development plans and talent risk-mitigation strategies.
- Evaluate how critical digital skills gaps are identified and assess HR and senior management’s awareness of gaps in the skills necessary to execute the digital strategy and sustain remote work and the plans in place to close them.
- Evaluate the processes used to ensure alignment of existing benefits and well-being programs with employee needs.
- Verify that an established cadence for sharing and discussing important change-related information with employees is in place and assess guidance given to managers to encourage transparency and empathy while communicating organizational change.
When asked about confidence in audit’s ability to provide assurance over talent resilience, 72 percent of 92 total respondents said they are “somewhat confident,” while only 20 percent said they are “highly confident.” Eight percent said they are not confident at all.
Moreover, when asked about their plans to cover talent resilience in audit activities in the next 12 to 18 months, 49 percent of respondents said they don’t have any activities currently planned, while 35 percent said they tentatively will cover talent resilience in audit activities. Sixteen percent said they definitely will.