Internal audit is making strides in steering its focus and resources toward companies’ emerging risks, but there’s still some work to be done, according to the latest report from the Institute of Internal Auditors.

In its latest annual North American Pulse of Internal Audit study, the IIA says more than 500 internal audit leaders report they are seeing more increases in staffing than decreases. One-fourth of respondents said they were able to add to their headcount in 2018 compared with 11 percent who said they experienced a decrease in staffing.

That being said, internal audit leaders say it is fairly common for an emerging or unusual risk to pop up as a surprise, even though most audit leaders said they feel confident in their organization’s ability to identify and assess such risks. The survey also suggests internal audit functions are still working on how best to address cyber- and IT risks as well as third-party risks.

With respect to cyber- and data protection issues, for example, the IIA study says 70 percent of audit leaders reported the risk of reputation damage caused by a privacy breach would be a high or very high concern. Despite that, 47 percent said their organizations have little or no audit coverage for compliance with new data protection rules like the European Union’s General Data Protection Regulation or state laws in California and New York.

“Everybody seems to acknowledge that cyber security and data protection are significant risks,” says Richard Chambers, president and CEO of the IIA. “Certainly management and boards are quick to point it out, but when you look at IT audit coverage on cyber-security and data protection, it still looks like a relatively low percentage of resources devoted to those risks.”

With respect to risks arising from arrangements with third parties, like vendors, 21 percent of internal audit leaders said their companies’ selection processes are ad hoc, weak, or nonexistent. The data on monitoring of third parties is even worse, with 48 percent saying their companies’ processes for monitoring third parties is ad hoc, weak, or nonexistent. Less than one-third of respondents said they were extremely or mostly satisfied with how their organizations manage third parties.

“Third-party risks have become more significant in recent years, and people have come to realize the last few years that there’s really no way to completely insulate the company from risks that third parties present,” says Chambers. “There are all kinds of connected risks, and that’s not an area where internal audit is dedicating the kind of coverage it should. There’s probably more that could be done there.”