2019 North American Pulse of Internal Audit Report Identifies Potential Misalignment in Corporate Risk Landscape

Annual Survey Reveals Growing Concerns with Third-Party and Atypical Risks

LAKE MARY, Fla., USA (March 4, 2019) — Organizations are struggling to monitor emerging and atypical risks, and are too often caught off guard when risks do arise, according to The Institute of Internal Auditors’ annual survey of chief audit executives.

The 2019 North American Pulse of Internal Audit, Defining Alignment in a Dynamic Risk Landscape, found potentially troubling misalignment on the identification and management of risks in four key areas, including cybersecurity and third-party issues. These challenges are being brought on by dynamic geopolitical environments, shifting economic conditions, and disruptive technology.

The report urges chief audit executives to communicate clearly with the C-suite and board whenever risks are not being adequately addressed and provides them with resources to help better understand the evolving risk landscape.

“A risk not communicated is a risk assumed,” said IIA President and CEO Richard F. Chambers, CIA, QIAL, CGAP, CCSA, CRMA. “It’s imperative for chief audit executives to be well-aligned with management, and the board to ensure the organization has a comprehensive and unencumbered understanding of the risk universe.”

The Pulse report, based on a survey of more than 500 internal audit executives, identifies four key risk areas:

1. Cybersecurity and Data Protection: Reputational damage related to cyber breaches remains a top concern for North American CAEs (70 percent). Three-year trending data reflect steady increases in the allocation of audit efforts to cybersecurity and information technology, but that still lags well-behind efforts focused on operational, financial reporting, and compliance, especially among publicly traded companies.
2. Third-party Risks: CAEs have significant concerns about how organizations address risks associated with selecting and monitoring third-party vendors. Nearly half view organizational oversight of third-party relationships as weak.
3. Emerging and Atypical Risks: While most CAEs (80 percent) express confidence in their organization’s ability to identify and assess emerging or atypical risks, the reported frequency of management being surprised by these risks belies that confidence.
4. Board and Management Activity: In substantially more than half of responding organizations (85 percent), internal audit rarely or never provides assurance on management information sent to the board. What’s more, variations in reporting structures may be hampering internal audit findings and insights from getting through the board in key risk areas.

The full 2019 Pulse report, Defining Alignment in a Dynamic Risk Landscape, can be downloaded from The IIA Audit Executive Center (AEC) website beginning March 11. An exclusive presentation of the findings and analysis will be provided to AEC members just ahead of the General Audit Management (GAM) conference in Dallas-Fort Worth on March 11-13.

The Audit Executive Center has gathered insight from leaders in the profession through the annual Pulse of Internal Audit survey since 2011. Each survey collects information about established and emerging issues, and other topics of importance to the profession and internal audit management. It also offers valuable benchmarking information on staffing, resourcing, outsourcing, audit plan activities, and talent management – providing additional material to educate stakeholders and improve alignment.

About the Audit Executive Center

An exclusive service developed to support Chief Audit Executives (CAEs) in answering the demands of their evolving roles, the Audit Executive Center empowers its members by delivering unparalleled access to a growing Knowledge Center of more than 600 pieces of thought leadership and more than 300 tools, templates and planning resources; access to the Audit Intelligence Suite to benchmark CAE audit activities, assess internal audit teams and survey key stakeholders; peer-to-peer knowledge sharing opportunities; CPE-eligible webinars, roundtables and networking events; E-bulletins and news publications. For more information, visit www.theiia.org/AEC.