《AuditBoard:北美风险聚焦2024-内部审计热门话题(英文版)(50页).pdf》由会员分享,可在线阅读,更多相关《AuditBoard:北美风险聚焦2024-内部审计热门话题(英文版)(50页).pdf(50页珍藏版)》请在三个皮匠报告上搜索。
1、NORTH AMERICA2024RISK INFOCUSHot topicsfor internalauditorsRead moreABOUT RISK IN FOCUSNORTH AMERICA REPORT SPONSORReports are based on a worldwide survey to identify current and emerging risks for each region,followed up with roundtables and interviews to discover leading practices for internal aud
2、itors.Each of The IIAs six regions will receive two reports:n Hot Topics for Internal Auditors Detailed reports based on the survey,roundtables,and interviews.n Board Briefing Summary reports for internal auditors to share with stakeholders.Global Risk in Focus is a collaborative partnership facilit
3、ated by the Internal Audit Foundation with generous support from IIA regional bodies,IIA Institutes,and corporate sponsors.2024 marks the first year the project was conducted worldwide.The Risk in Focus methodology was originally created in 2016 by the European Institutes Research Group(EIRG),which
4、continues to publish it in Europe through the European Confederation of Institutes of Internal Auditing(ECIIA).Reports are available free to the public at The IIAs Risk in Focus resource page and at the websites for IIA regional groups:ACIIA(Asia Pacific),AFIIA(Africa),ARABCIIA(Middle East),ECIIA(Eu
5、rope),FLAI(Latin America).Risk in Focus provides practical,data-driven research to help internal auditors and their stakeholders understand todays risk environment and prepare audit plans for the year ahead.PAGE 2 OF 49CONTENTSMethodologySurvey results:Global Survey results:North America Cybersecuri
6、ty:Team building for cyber resilienceHuman capital:Negotiating the culture clashMarket changes:Adding value with strategic involvementBusiness continuity:Building resilience in complexityInterconnected risks:Geopolitical uncertainty,supply chain,and regulatory changeFuture expectations:Pressure grow
7、s from digital disruption and climate changeExecutive summary North America456044PAGE 3 OF 49ContentsExecutive summary North America MethodologySurvey results:Global Survey results:North AmericaCybersecurity:Team building for cyber resilienceHuman capital:Negotiating the culture clashMark
8、et changes:Adding value with strategic involvementBusiness continuity:Building resilience in complexityInterconnected risks:Geopolitical uncertainty,supply chain,and regulatory changeFuture expectations:Pressure grows from digital disruption and climate changeEXECUTIVE SUMMARY NORTH AMERICARespondin
9、g to rapid change with collaboration After an unprecedented three years of global disruption,North American organizations are seeking closer collaboration with stakeholders across their organizations to get in front of the fast-moving risk landscape.Internal audit leaders are often acting as advisor
10、s to the board and management on mission-critical projects and retooling audit methodologies to better manage the risks ahead.North America Risk in Focus provides insight into urgent questions facing CAEs and their boards,including:n What are the top risks organizations face in the region?How will t
11、hese develop over the next three years?n Where are internal auditors investing the most time and effort?n How can internal audit functions help their organizations?Two risks dominate the risk landscape for North America in 2024 cybersecurity and human capital,which cut across almost every aspect of
12、an organizations operations.By 2027,CAEs expect the biggest risk to still be cybersecurity,but digital disruption will leap into second place with climate change also seeing greatly increased risk levels.Among survey respondents worldwide,the three areas of highest risk were cybersecurity,human capi
13、tal,and business continuity.Across regions there was remarkable consensus that digital disruption and climate change were the two areas expected to increase the most for risk level and audit effort.The North America Risk in Focus reports describe in detail the challenges and solutions for urgent ris
14、k areas and draw on the expertise,experience,and knowledge of multiple internal audit leaders throughout the region.The featured topics for the North America reports are cybersecurity,human capital,market changes,and business continuity.For a summary of findings to provide to boards and stakeholders
15、,see North America Risk in Focus 2024 Board Briefing.For reports from other regions,see the Risk in Focus resource page.PAGE 4 OF 49North America Research Participationn 442 survey responses from CAEs and directorsn Participating countries:U.S.(385),Canada(57)n 4 roundtables with 28 participantsn 9
16、in-depth interviewsThe survey presents 16 risk categories,shown below.Respondents are asked to choose the top 5 highest for risk level and the top 5 highest for internal audit time and effort both for now and three years in the future.In reports,the categories are referenced by their shortened names
17、.For the Risk in Focus 2024 project worldwide,survey responses were received from 4,207 CAEs and directors in 111 countries/territories from February 15 to July 12,2023.Eighteen roundtables were conducted with 152 participants,followed by 40 in-depth interviews.The Risk in Focus methodology starts w
18、ith a survey of CAEs and heads of internal audit to identify current and emerging risks for each region.The top risks identified in the survey are used in follow-up roundtables and interviews with CAEs,academics,and other industry experts.40in-depth interviews111countries/territoriesPAGE 5 OF 49METH
19、ODOLOGYRisk in Focus 2024 Risk CategoriesRisk Topic Risk Description Used in the SurveyBusiness continuity Business continuity,operational resilience,crisis management,and disaster responseClimate change Climate change,biodiversity,and environmental sustainabilityGeopolitical uncertainty Macroeconom
20、ic and geopolitical uncertaintyCommunications/reputation Communications,reputation,and stakeholder relationshipsGovernance/corporate reporting Organizational governance and corporate reportingCybersecurity Cybersecurity and data securityHealth and safety Health,safety,and securityDigital disruption
21、Digital disruption,new technology,and AIHuman capital Human capital,diversity,and talent management and retentionFinancial liquidity Financial,liquidity,and insolvency risksMarket changes Market changes/competition and customer behaviorOrganizational culture Organizational cultureSupply chain and ou
22、tsourcing Supply chain,outsourcing,and nth party riskFraud Fraud,bribery,and the criminal exploitation of disruptionMergers and acquisitions Mergers and acquisitionsRegulatory change Change in laws and regulations4,207survey responsesfrom CAEs15218roundtables with participantsContentsExecutive summa
23、ry North America MethodologySurvey results:Global Survey results:North AmericaCybersecurity:Team building for cyber resilienceHuman capital:Negotiating the culture clashMarket changes:Adding value with strategic involvementBusiness continuity:Building resilience in complexityInterconnected risks:Geo
24、political uncertainty,supply chain,and regulatory changeFuture expectations:Pressure grows from digital disruption and climate changeSURVEY RESULTS GLOBAL Regional comparisons The worldwide participation in the Risk in Focus survey provides a rare opportunity to compare risk and audit planning betwe
25、en different regions.PAGE 6 OF 49Global Survey Responses Per RegionAfricaAsia Pacific Latin America (&Caribbean)Europe North America Middle East Total 8081,035 956 799 4421674,207 The Risk in Focus survey results are presented in a series of graphs that show survey responses about risk levels and au
26、dit effort both now and three years in the future.Key findings are summarized below,but readers are encouraged to review the graphs in detail to obtain further insights.Percentages show how many chose an audit area as one of the five highest for risk level or audit effort at their organization.In th
27、e graphs,results for risk levels are colored blue,and results for audit effort are green;current levels are darker shades and future levels are lighter.Figure 1:Top 5 highest risks per region Global There is broad consensus worldwide that the three areas of highest risk for the organizations where C
28、AEs work are:1.Cybersecurity2.Human capital3.Business continuityFor most regions,regulatory change also ranks as a top 5 highest risk,with the exception of Africa and Middle East,where financial liquidity is more of a concern.Reflecting current events and future concerns,geopolitical instability top
29、ped the list for Latin America and Europe.Market changes were considered a top risk for Asia Pacific and North America,but not in other regions.Finally,Africa was the only one with fraud as a top 5 concern,while the Middle East was unique for having governance/corporate reporting in their top 5.How
30、to use survey resultsContentsExecutive summary North America MethodologySurvey results:Global Survey results:North AmericaCybersecurity:Team building for cyber resilienceHuman capital:Negotiating the culture clashMarket changes:Adding value with strategic involvementBusiness continuity:Building resi
31、lience in complexityInterconnected risks:Geopolitical uncertainty,supply chain,and regulatory changeFuture expectations:Pressure grows from digital disruption and climate changePAGE 7 OF 49Another way to look at the data is to consider which region had the highest risk within each audit area.For exa
32、mple,climate change risks were rated highest in Europe,compared to other regions.Some notable points about highest ratings per audit area include:n North American respondents gave cybersecurity(85%)and human capital(65%)the highest risk ratings compare to other regions.n For Europe,while cybersecuri
33、ty was nearly as high as for North America(84%)the other areas of high concern were geopolitical uncertainty(43%)and climate change(31%).Europe was the only region where climate change was higher than 30%.n Latin America shared Europes concern about geopolitical uncertainty(42%),but also reported hi
34、gh risk for regulatory change(48%)and digital disruption(38%).n Asia Pacific was particularly concerned with business continuity(61%)and market changes(47%),compared to other regions.n The Middle East had much higher risk levels for governance/corporate reporting(45%)than other regions and was also
35、slightly higher for communications/reputation(28%).n Finally,Africa had a unique mix of risks that were higher than other regions,including financial liquidity(47%),fraud(46%),and organizational culture(34%).Figure 2:Top 5 audit effort per region GlobalAlthough risk levels may vary from region to re
36、gion,the areas of highest effort for internal audit are remarkably similar,generally in this order:1.Cybersecurity2.Governance/corporate reporting3.Business continuity4.Regulatory change5.Financial liquidity6.FraudThe primary area of difference was for regulatory change,where audit effort percentage
37、s were notably lower for Africa(35%)and Middle East(35%)than other regions,which were at 50%or higher.Other specific differences were:n Asia Pacific had a lower percentage for financial liquidity(35%)than the global average(45%).n Latin America was lower than other regions for effort toward governan
38、ce/corporate reporting(46%for Latin America vs.55%global average).n North America was much lower than the global average for fraud effort(26%for North America vs.42%global average).Although risk levels may vary from region to region,the areas of highest effort for internal audit are remarkably simil
39、ar.SURVEY RESULTS GLOBALContentsExecutive summary North America MethodologySurvey results:Global Survey results:North AmericaCybersecurity:Team building for cyber resilienceHuman capital:Negotiating the culture clashMarket changes:Adding value with strategic involvementBusiness continuity:Building r
40、esilience in complexityInterconnected risks:Geopolitical uncertainty,supply chain,and regulatory changeFuture expectations:Pressure grows from digital disruption and climate changeAnother way to look at the data is to consider which region had the highest audit effort within each audit area.In many
41、audit areas,the difference in effort between regions is small.But there were some audit areas where differences were notable:n North America was much more broadly involved in cybersecurity(84%)than other regions,with the exception of Europe(79%).n Africa has more functions putting top 5 effort towar
42、d fraud(57%)and financial liquidity(53%)than other regions.n Europe has almost double the percentage who say climate change is top 5 for audit effort(19%)compared to the global average(11%).Figure 3:Expected risk change in three years Global There is consensus worldwide that risk levels will rise in
43、 the next three years for digital disruption and climate change.Both areas saw increases of about 20 percentage points between current and future risk levels.Even more remarkable is the increase in ranking for climate change,which leaped from fourteenth place to fifth.Figure 4:Expected audit effort
44、change in three years Global With risk levels expected to rise for digital disruption and climate change,so is the amount of time and effort internal audit expects to spend in these areas.The percentage expecting digital disruption to be top 5 for audit effort more than doubled-from 22%to 52%.Equall
45、y remarkable,the percentage for climate change more than tripled,from 11%to 34%.PAGE 8 OF 49There is consensus worldwide that risk levels will rise in the next three years for digital disruption and climate change.SURVEY RESULTS GLOBALContentsExecutive summary North America MethodologySurvey results
46、:Global Survey results:North AmericaCybersecurity:Team building for cyber resilienceHuman capital:Negotiating the culture clashMarket changes:Adding value with strategic involvementBusiness continuity:Building resilience in complexityInterconnected risks:Geopolitical uncertainty,supply chain,and reg
47、ulatory changeFuture expectations:Pressure grows from digital disruption and climate changeWhat are the top 5 risks your organization will face 3 years from now?Audit area Average of all regionsEuropeMiddleEastNorthAmericaAfricaLatinAmericaAsiaPacific73%84%70%58%75%66%32%26%38%28%47%33%21%26%20%30%2
48、1%34%26%23%51%50%47%39%44%59%32%30%26%41%21%26%47%24%13%26%9%46%30%22%47%35%53%36%52%47%61%30%43%16%28%25%42%28%21%12%28%21%27%22%18%39%43%33%43%32%48%35%27%22%45%16%36%18%24%19%31%10%12%19%22%22%34%33%32%36%33%38%30%26%30%28%36%19%16%27%11%6%13%9%17%10%8%12%8%10%8%3%3%4%CybersecurityHuman capital G
49、eopolitical uncertainty Business continuityGovernance/corporate reporting Regulatory change Supply chain and outsourcing Digital disruption Organizational culture Financial liquidity FraudClimate changeMarket changesCommunications/reputation Health and safetyMergers and acquisitionsNote:The IIAs Ris
50、k in Focus Global Survey,n=4,207.Percentages show who ranked the area as one of their top 5 for risk level.Dark blue shading indicates the 5 areas of highest risk for that region.85%65%There is broad consensus worldwide that the three areas of highest risk are cybersecurity,human capital,and busines
51、s continuity.nHighestrisks per regionWhat are the top 5 risks your organization currently faces?PAGE 9 OF 49Top 5 highest risksper region GlobalFigure 1:ContentsExecutive summary North America MethodologySurvey results:Global Survey results:North AmericaCybersecurity:Team building for cyber resilien
52、ceHuman capital:Negotiating the culture clashMarket changes:Adding value with strategic involvementBusiness continuity:Building resilience in complexityInterconnected risks:Geopolitical uncertainty,supply chain,and regulatory changeFuture expectations:Pressure grows from digital disruption and clima
53、te changeWhat are the top 5 risks on which internal audit spends the most time and effort?Note:The IIAs Risk in Focus Global Survey,n=4,207.Percentages show who ranked the area as one of their top 5 for audit time and effort.Dark green shading indicates the 5 highest audit effort areas for that regi
54、on.What are the top 5 risks your organization will face 3 years from now?Audit area Average of all regionsEuropeMiddleEastNorthAmericaAfricaLatinAmericaAsiaPacific68%79%61%54%66%66%42%36%43%26%57%47%42%20%11%23%20%23%21%55%61%64%52%46%54%34%36%39%38%32%28%33%17%19%16%21%13%12%18%54%50%53%53%56%53%59
55、%30%26%35%26%33%28%33%16%10%14%17%23%46%50%35%53%35%50%56%24%21%27%17%27%29%23%11%7%9%11%8%10%45%45%44%46%53%50%35%22%21%20%24%24%19%9%6%8%4%12%13%6%9%25%16%15%19%25%8%8%10%2%5%3%CybersecurityGovernance/corporate reportingHuman capitalBusiness continuityOrganizational culture Regulatory change Digit
56、al disruptionFinancial liquidityCommunications/reputation FraudHealth and safetyClimate changeSupply chain and outsourcing Market changesGeopolitical uncertaintyMergers and acquisitions84%55%Highest effort areas per regionThe areas of highest audit effort across regions are remarkably similar.nPAGE
57、10 OF 49Top 5 audit effortper region GlobalFigure 2:ContentsExecutive summary North America MethodologySurvey results:Global Survey results:North AmericaCybersecurity:Team building for cyber resilienceHuman capital:Negotiating the culture clashMarket changes:Adding value with strategic involvementBu
58、siness continuity:Building resilience in complexityInterconnected risks:Geopolitical uncertainty,supply chain,and regulatory changeFuture expectations:Pressure grows from digital disruption and climate changeWhat are the top 5 risks your organization currently faces?What are the top 5 risks your org
59、anization will face 3 years from now?1.Cybersecurity2.Human capital8.Geopolitical uncertainty3.Business continuity9.Governance/corporate reporting4.Regulatory change10.Supply chain and outsourcing5.Digital disruption11.Organizational culture6.Financial liquidity12.Fraud14.Climate change16.Mergers an
60、d acquisitions7.Market changes13.Communications/reputation15.Health and safety1.Cybersecurity2.Digital disruption8.Market changes3.Human capital9.Supply chain and outsourcing4.Business continuity10.Financial liquidity5.Climate change11.Organizational culture6.Regulatory change12.Governance/corporate
61、 reporting14.Communications/reputation16.Mergers and acquisitions7.Geopolitical uncertainty13.Fraud15.Health and safety67%55%33%46%25%41%23%39%21%39%20%15%11%34%20%11%73%51%30%47%27%39%26%34%26%32%19%6%24%32%21%11%ExpectedriskchangeClimate change risks are expected to increase dramatically from the
62、fourteenth to fifth place.nPAGE 11 OF 49Expected risk change in 3 years GlobalFigure 3:Note:The IIAs Risk in Focus Global Survey,n=4,207.Percentage who ranked the area as one of their organizations top 5 highest risks.ContentsExecutive summary North America MethodologySurvey results:Global Survey re
63、sults:North AmericaCybersecurity:Team building for cyber resilienceHuman capital:Negotiating the culture clashMarket changes:Adding value with strategic involvementBusiness continuity:Building resilience in complexityInterconnected risks:Geopolitical uncertainty,supply chain,and regulatory changeFut
64、ure expectations:Pressure grows from digital disruption and climate changeWhat are the top 5 risks on which internal audit spends the most time and effort?What are the top 5 risks you expect internal audit to spend the most time and effort addressing 3 years from now?Expected audit effort change in
65、3 years GlobalFigure 4:Steep rises are expected for internal audit activity related to digital disruption and climate change.Expectedeffortchangen1.Cybersecurity2.Governance/corporate reporting8.Human capital3.Business continuity9.Organizational culture4.Regulatory change10.Digital disruption5.Finan
66、cial liquidity11.Communications/reputation6.Fraud12.Health and safety14.Climate change16.Mergers and acquisitions7.Supply chain and outsourcing13.Market changes15.Geopolitical uncertainty68%55%30%54%24%46%22%45%20%42%17%11%6%34%16%9%Note:The IIAs Risk in Focus Global Survey,n=4,207.Percentage who ra
67、nked the area as one of their organizations top 5 highest risks.1.Cybersecurity2.Digital disruption8.Fraud3.Business continuity9.Financial liquidity4.Regulatory change10.Supply chain and outsourcing5.Governance/corporate reporting11.Organizational culture6.Human capital12.Market changes14.Geopolitic
68、al uncertainty16.Mergers and acquisitions7.Climate change13.Communications/reputation15.Health and safety73%52%29%49%28%37%28%36%24%35%22%16%8%34%16%15%PAGE 12 OF 49ContentsExecutive summary North America MethodologySurvey results:Global Survey results:North AmericaCybersecurity:Team building for cy
69、ber resilienceHuman capital:Negotiating the culture clashMarket changes:Adding value with strategic involvementBusiness continuity:Building resilience in complexityInterconnected risks:Geopolitical uncertainty,supply chain,and regulatory changeFuture expectations:Pressure grows from digital disrupti
70、on and climate changeSURVEY RESULTS NORTH AMERICA PAGE 13 OF 49Key findings for North America are summarized below,but readers are encouraged to review the graphs that follow in detail to obtain further insights.Percentages show how many chose an audit area as one of the five highest for risk level
71、or audit effort at their organization.Results for risk levels are colored blue,and results for audit effort are green;current levels are darker shades and future levels are lighter.Figure 5:Current risk levels vs.future risk levels North America n Cybersecurity and human capital dominated the risk l
72、andscape for North America for 2024.n In the next three years,digital disruption and climate change are the risks expected to increase the most.Figure 6:Expected risk level change in 3 years North American Digital disruption is expected to move from the sixth highest risk to the second highest in th
73、e next three years.n Climate-related risks climb into ninth position,up from the bottom three.Figure 7:Current audit effort vs.future audit effort North America n Overwhelmingly,CAEs chose cybersecurity as a top 5 area for internal audit effort(84%).n Second place is held by governance/corporate rep
74、orting,but this area is expected to decrease in the future.Figure 8:Expected audit effort change in 3 years North American Steep rises are expected for activity to deal with digital disruption and climate change.n Increases are offset by reductions for financial liquidity and governance/corporate re
75、porting.Figure 9:Current risk levels vs.current audit effort North American Governance/corporate reporting is low risk for organizations(16%)but high effort(55%)for internal audit in North America.n Effort is low compared to risk for geopolitical uncertainty,market changes,and climate change,but the
76、se risks may be addressed through financial liquidity,business continuity,or supply chain.Figure 10:Future risk levels vs.future audit effort North American Risk levels and effort are expected to be closely aligned in the next three years for the rising risk areas of digital disruption(56%/53%)and c
77、limate change(30%/27%).United StatesCanada Total 38557442North America Survey Responses Per Country How to use survey resultsContentsExecutive summary North America MethodologySurvey results:Global Survey results:North AmericaCybersecurity:Team building for cyber resilienceHuman capital:Negotiating
78、the culture clashMarket changes:Adding value with strategic involvementBusiness continuity:Building resilience in complexityInterconnected risks:Geopolitical uncertainty,supply chain,and regulatory changeFuture expectations:Pressure grows from digital disruption and climate changePAGE 14 OF 49To bet
79、ter understand audit activities in North America,its important to recognize the effect of Sarbanes-Oxley(SOX)requirements and ERM responsibility on internal audit functions,says Richard Chambers,senior audit advisor at AuditBoard.The Sarbanes-Oxley Act of 2002 established extensive regulatory requir
80、ements for internal controls over financial reporting for publicly traded companies in the United States.Internal audit is often tasked with the lions share of this effort,with 67%of internal audit functions at publicly traded companies saying they have direct responsibility,according to The IIAs 20
81、23 North American Pulse of Internal Audit survey.1In the Risk in Focus survey,Sarbanes-Oxley activity falls under the category of organizational governance/corporate reporting.This area ranked near the bottom for risk(16%as one of their top 5),but it ranked second for audit time and effort(55%at top
82、 5).This effort toward corporate reporting tends to draw audit time away from other areas,increasing gaps between risk and effort in other areas.In addition to the bandwidth challenge,Chambers noted that Sarbanes-Oxley can also create an independence challenge for internal audit.Among 2023 Pulse sur
83、vey respondents,72%of CAEs at publicly traded companies say they report administratively to the chief financial officer(CFO),who is often in charge of the SOX program.This high level of responsibility for SOX,combined with administrative reporting to the CFO,creates a risk that CAEs are not only pro
84、viding assurance for internal controls over financial reporting,but are also taking on the CFOs compliance responsibilities directly.At issue is internal audit having enough independence to provide assurance for internal controls over financial reporting,given its responsibilities and reporting line
85、.Finally,almost half of CAEs at publicly traded companies(46%)are also responsible for ERM,according to 2023 Pulse survey respondents.On the positive side,when one role is responsible for both,there may be closer alignment between risk assessment and audit activity.However,its important for CAEs to
86、be properly trained in ERM methodology,which places equal emphasis on opportunities and risk.Finally,if internal audit is responsible for ERM,it is preferable for a third party to provide assurance for the overall effectiveness of risk management because the internal audit function should not audit
87、its own activity.SURVEY RESULTS NORTH AMERICARecommended ReadingThe IIAs Three Lines ModelRisk in Focus frequently refers to the influential Three Lines Model,which explains the roles of the first,second,and third lines.The IIAs North American Pulse of Internal Audit This annual report provides benc
88、hmarks about budgets,staff,and CAE responsibilities.1 For survey results cited from the Pulse of Internal Audit,see page 43(reporting lines)and page 35(ERM responsibility)at https:/www.theiia.org/en/resources/research-and-reports/pulse/Understanding the impact of SOX in North America on survey resul
89、tsContentsExecutive summary North America MethodologySurvey results:Global Survey results:North AmericaCybersecurity:Team building for cyber resilienceHuman capital:Negotiating the culture clashMarket changes:Adding value with strategic involvementBusiness continuity:Building resilience in complexit
90、yInterconnected risks:Geopolitical uncertainty,supply chain,and regulatory changeFuture expectations:Pressure grows from digital disruption and climate changeCybersecurity and human capital dominated the risk landscape for North America for 2024.In the next 3 years,digital disruption and climate cha
91、nge are the risks expected to increase the most.nnNote:The IIAs Risk in Focus Global Survey,North America,n=442.Percentage who ranked the area as one of their organizations top 5 highest risks.PAGE 15 OF 49What are the top 5 risks your organization currently faces?What are the top 5 risks your organ
92、ization will face 3 years from now?Current riskFuture risknnCurrent risk levels vs.future risk levels North AmericaFigure 5:65%43%41%36%36%36%28%28%21%21%17%16%12%9%8%85%CybersecurityHuman capitalGeopolitical uncertaintyRegulatory changeFinancial liquidityMarket changesCommunications/reputationBusin
93、ess continuityOrganizational cultureDigital disruptionHealth and safetyClimate changeMergers and acquisitionsSupply chain and outsourcingGovernance/corporate reportingFraud73%51%50%38%25%56%31%30%20%13%21%12%18%30%10%12%CybersecurityHuman capitalGeopolitical uncertaintyRegulatory changeFinancial liq
94、uidityMarket changesCommunications/reputationBusiness continuityOrganizational cultureDigital disruptionHealth and safetyClimate changeMergers and acquisitionsSupply chain and outsourcingGovernance/corporate reportingFraudContentsExecutive summary North America MethodologySurvey results:Global Surve
95、y results:North AmericaCybersecurity:Team building for cyber resilienceHuman capital:Negotiating the culture clashMarket changes:Adding value with strategic involvementBusiness continuity:Building resilience in complexityInterconnected risks:Geopolitical uncertainty,supply chain,and regulatory chang
96、eFuture expectations:Pressure grows from digital disruption and climate changeWhat are the top 5 risks your organization currently faces?What are the top 5 risks your organization will face 3 years from now?1.Cybersecurity2.Human capital8.Geopolitical uncertainty3.Regulatory change9.Financial liquid
97、ity4.Market changes10.Communications/reputation5.Business continuity11.Organizational culture6.Digital disruption12.Health and safety14.Climate change16.Mergers and acquisitions7.Supply chain and outsourcing13.Governance/corporate reporting15.Fraud1.Cybersecurity2.Digital disruption8.Geopolitical un
98、certainty3.Human capital9.Climate change4.Regulatory change10.Organizational culture5.Market changes11.Financial liquidity6.Business continuity12.Governance/corporate reporting14.Health and safety16.Fraud7.Supply chain and outsourcing13.Communications/reputation15.Mergers and acquisitions73%56%30%51
99、%30%50%21%38%20%35%18%12%10%31%13%12%85%65%28%43%28%41%21%36%21%36%12%8%17%36%16%9%ExpectedriskchangePAGE 16 OF 49Expected risk level change in 3 years North AmericaFigure 6:Digital disruption is expected to move from the sixth highest risk to the second highest in the next 3 years.Climate-related r
100、isks climb into ninth position,up from the bottom three.nnNote:The IIAs Risk in Focus Global Survey,North America,n=442.Percentage who ranked the area as one of their organizations top 5 highest risks.ContentsExecutive summary North America MethodologySurvey results:Global Survey results:North Ameri
101、caCybersecurity:Team building for cyber resilienceHuman capital:Negotiating the culture clashMarket changes:Adding value with strategic involvementBusiness continuity:Building resilience in complexityInterconnected risks:Geopolitical uncertainty,supply chain,and regulatory changeFuture expectations:
102、Pressure grows from digital disruption and climate changeOverwhelmingly,CAEs chose cybersecurity as a top 5 area for internal audit effort(84%).Second place is held by governance/corporate reporting,but this area is expected to decrease in the future.nnCybersecurityGovernance/corporate reportingHuma
103、n capitalBusiness continuityDigital disruptionRegulatory changeHealth and safetyFinancial liquidityCommunications/reputationSupply chain and outsourcingOrganizational cultureMergers and acquisitionsGeopolitical uncertaintyFraudMarket changesClimate changeNote:The IIAs Risk in Focus Global Survey,Nor
104、th America,n=442.Percentage who ranked the area as one of their top 5 for audit time and effort.55%53%53%46%38%26%26%25%21%20%17%14%10%9%4%84%80%53%49%46%38%36%32%29%27%19%17%17%16%14%13%12%CybersecurityDigital disruptionFinancial liquidityRegulatory changeClimate changeBusiness continuityMarket cha
105、ngesGovernance/corporate reportingFraudSupply chain and outsourcingHealth and safetyCommunications/reputationGeopolitical uncertaintyHuman capitalOrganizational cultureMergers and acquisitionsPAGE 17 OF 49What are the top 5 risks on which audit spends the most time and effort?What are the top 5 risk
106、s you expect internal audit to spend the most time and effort addressing 3 years from now?Current effortFuture effortnnCurrent audit effort vs.future audit effort North AmericaFigure 7:ContentsExecutive summary North America MethodologySurvey results:Global Survey results:North AmericaCybersecurity:
107、Team building for cyber resilienceHuman capital:Negotiating the culture clashMarket changes:Adding value with strategic involvementBusiness continuity:Building resilience in complexityInterconnected risks:Geopolitical uncertainty,supply chain,and regulatory changeFuture expectations:Pressure grows f
108、rom digital disruption and climate changePAGE 18 OF 49What are the top 5 risks on which internal audit spends the most time and effort?What are the top 5 risks you expect internal audit to spend the most time and effort addressing 3 years from now?Expected audit effort change in 3 years North Americ
109、aFigure 8:Expectedeffortchange1.Cybersecurity2.Governance/corporate reporting8.Human capital3.Business continuity9.Digital disruption4.Regulatory change10.Health and safety5.Financial liquidity11.Communications/reputation6.Supply chain and outsourcing12.Organizational culture14.Mergers and acquisiti
110、ons16.Geopolitical uncertainty7.Fraud13.Market changes15.Climate change84%55%26%53%25%53%21%46%20%38%17%10%4%26%14%9%Note:The IIAs Risk in Focus Global Survey,North America,n=442.Percentage who ranked the area as one of their top 5 for audit time and effort.1.Cybersecurity2.Digital disruption8.Finan
111、cial liquidity3.Regulatory change9.Climate change4.Business continuity10.Market changes5.Governance/corporate reporting11.Fraud6.Supply chain and outsourcing12.Health and safety14.Communications/reputation16.Geopolitical uncertainty7.Human capital13.Organizational culture15.Mergers and acquisitions8
112、0%53%29%49%27%46%19%38%17%36%17%14%12%32%16%13%Steep rises are expected for activity to deal with digital disruption and climate change.Increases are offset by reductions for financial liquidity and governance/corporate reporting.nnContentsExecutive summary North America MethodologySurvey results:Gl
113、obal Survey results:North AmericaCybersecurity:Team building for cyber resilienceHuman capital:Negotiating the culture clashMarket changes:Adding value with strategic involvementBusiness continuity:Building resilience in complexityInterconnected risks:Geopolitical uncertainty,supply chain,and regula
114、tory changeFuture expectations:Pressure grows from digital disruption and climate changeGovernance/corporate reporting is low for risk(16%)but high for audit effort(55%).Effort is lower priority compared to risk for geopolitical uncertainty,market changes,and climate change,but these risks may be ad
115、dressed through financial liquidity,business continuity,or supply chain.nnCybersecurityHuman capitalGeopolitical uncertaintyRegulatory changeFinancial liquidityMarket changesCommunications/reputationBusiness continuityOrganizational cultureDigital disruptionHealth and safetyClimate changeMergers and
116、 acquisitionsSupply chain and outsourcingGovernance/corporate reportingFraudNote:The IIAs Risk in Focus Global Survey,North America,n=442.Percentage who ranked the area as one of their top 5 for risk or internal audit effort.65%43%41%36%36%36%28%28%21%21%17%16%12%9%8%85%84%26%53%14%53%25%38%4%46%20%
117、17%21%55%9%26%10%CybersecurityHuman capitalGeopolitical uncertaintyRegulatory changeFinancial liquidityMarket changesCommunications/reputationBusiness continuityOrganizational cultureDigital disruptionHealth and safetyClimate changeMergers and acquisitionsSupply chain and outsourcingGovernance/corpo
118、rate reportingFraudPAGE 19 OF 49What are the top 5 risks your organization currently faces?What are the top 5 risks on which internal audit spends the most time and effort?Current riskCurrent effortnnCurrent risk levels vs.current audit effort North AmericaFigure 9:ContentsExecutive summary North Am
119、erica MethodologySurvey results:Global Survey results:North AmericaCybersecurity:Team building for cyber resilienceHuman capital:Negotiating the culture clashMarket changes:Adding value with strategic involvementBusiness continuity:Building resilience in complexityInterconnected risks:Geopolitical u
120、ncertainty,supply chain,and regulatory changeFuture expectations:Pressure grows from digital disruption and climate changeRisk levels and effort are expected to be closely aligned in the next 3 years for the growing risk areas of digital disruption(56%to 53%)and climate change(30%to 27%).nCybersecur
121、ityDigital disruptionGeopolitical uncertaintyHuman capitalClimate changeRegulatory changeOrganizational cultureMarket changesFinancial liquidityBusiness continuityGovernance/corporate reportingHealth and safetyFraudSupply chain and outsourcingCommunications/reputationMergers and acquisitionsNote:The
122、 IIAs Risk in Focus Global Survey,North America,n=442.Percentage who ranked the area as one of their top 5 for risk or internal audit effort.56%51%50%38%35%31%30%30%21%20%18%13%12%12%10%73%80%53%32%49%19%46%36%12%27%16%29%38%14%17%13%17%CybersecurityDigital disruptionGeopolitical uncertaintyHuman ca
123、pitalClimate changeRegulatory changeOrganizational cultureMarket changesFinancial liquidityBusiness continuityGovernance/corporate reportingHealth and safetyFraudSupply chain and outsourcingCommunications/reputationMergers and acquisitionsPAGE 20 OF 49What are the top 5 risks your organization will
124、face 3 years from now?What are the top 5 risks you expect internal audit to spend the most time and effort addressing 3 years from now?Future riskFuture effortnnFuture risk levels vs.future audit effort North AmericaFigure 10:ContentsExecutive summary North America MethodologySurvey results:Global S
125、urvey results:North AmericaCybersecurity:Team building for cyber resilienceHuman capital:Negotiating the culture clashMarket changes:Adding value with strategic involvementBusiness continuity:Building resilience in complexityInterconnected risks:Geopolitical uncertainty,supply chain,and regulatory c
126、hangeFuture expectations:Pressure grows from digital disruption and climate changeCYBERSECURITYTeam building for cyber resilience Because most organizations expect to be hacked,they are focused on building resilience through enterprise-wide collaboration and continuous training.PAGE 21 OF 49Survey R
127、esults CybersecurityThe pandemic forced many organizations to rapidly roll out IT systems,often using cloud-based third-party suppliers,to enable staff to work from home during lockdowns.As a result,hacking both intensified and industrialized just at the time when extended networks were most vulnera
128、ble.Not only has the risk of state-sponsored cyberattacks increased because of geopolitical uncertainty including the war in Ukraine and tensions between the U.S.and China but the burgeoning cyber-attack-as-a-service industry means that amateur hackers can carry out sophisticated scams for a fractio
129、n of the time and cost.2 Those trends have increased both the potential financial impacts of successful breaches and the risk of existential threat from so-called wiper attacks:experts fear that such knock-out hits currently targeting Ukrainian networks could spread to the U.S.3 The average cost of
130、a data breach in North America has climbed 12.7%since 2020 to$4.35 million in 2022,according to IBM.And 83%of respondents said they had experienced multiple breaches,with 45%of those occurring in the cloud.4 2 For more about cyber-attack-as-a-service,see https:/ 3 For more about wiper malware,see ht
131、tps:/ For more about cost of data breaches,see https:/ 84%ranked it as a top 5 for audit effort85%ranked it as a top 5 for risk level1ST AUDIT EFFORT1ST RISK LEVELContentsExecutive summary North America MethodologySurvey results:Global Survey results:North AmericaCybersecurity:Team building for cybe
132、r resilienceHuman capital:Negotiating the culture clashMarket changes:Adding value with strategic involvementBusiness continuity:Building resilience in complexityInterconnected risks:Geopolitical uncertainty,supply chain,and regulatory changeFuture expectations:Pressure grows from digital disruption
133、 and climate changePAGE 22 OF 495 For more about the new SEC rules,see https:/www.sec.gov/news/press-release/2023-139 6 For more about cybersecurity legislation in the U.S.,see https:/www.ncsl.org/technology-and-communication/cybersecurity-legislation-2021New SEC rule adds structure In July 2023,The
134、 U.S.Securities and Exchange Commission(SEC)adopted new rules for reporting incidents and disclosing activities related to cybersecurity risk management,strategy,and governance.One of the goals is to make information more consistent and easier to use for decision-makers and investors.5 The SEC rules
135、 are layered on top of a tangle of existing cyber regulations.There were more than 250 bills or resolutions proposed at state or federal levels in the U.S.in 2021.6 For those operating across multiple jurisdictions,the time needed to keep up with developments can be significant,said a CAE at a globa
136、l financial services firm.She described extensive efforts to keep up with requirements,from using cybersecurity consultants to regularly connecting with members of the legal community,the Justice Department,and other CAEs to ensure that the organization is up to speed.Cyber defense requires knowledg
137、e Awareness of cyberattacks is high in boardrooms and among executive management,but so are talent shortages for key IT and cyber skills,CAEs at the roundtable said.Posts are hard to fill.Its no wonder that human capital ranked as the second biggest risk,with 65%of survey respondents rating it as a
138、top 5 for risk level(see Figure 1).CAEs from small functions and the public sector say understaffing is particularly acute for them because it is hard to compete with the salaries or career prospects from larger companies and the private sector.Less well-highlighted is the talent gap in the boardroo
139、m.Several CAEs at the roundtable agreed that without specialist IT and cyber knowledge on the audit committee or board,recommendations can fall on deaf ears.“Until you get somebody in that oversight position who genuinely understands what needs to be in a program for cybersecurity and data protectio
140、n,who understands the recommendations from the chief information security officer and internal audit,you are not going to get meaningful progress within the company,”said a CAE at a publicly traded North American energy company.ResourcesAssessing Cybersecurity Risk:The Three Lines Model(The IIA)Audi
141、ting Cyber Incident Response and Recovery(The IIA)Auditing Cybersecurity Operations:Prevention and Detection(The IIA)CYBERSECURITYContentsExecutive summary North America MethodologySurvey results:Global Survey results:North AmericaCybersecurity:Team building for cyber resilienceHuman capital:Negotia
142、ting the culture clashMarket changes:Adding value with strategic involvementBusiness continuity:Building resilience in complexityInterconnected risks:Geopolitical uncertainty,supply chain,and regulatory changeFuture expectations:Pressure grows from digital disruption and climate changePAGE 23 OF 497
143、 For more about integrated auditing,see https:/www.theiia.org/en/content/guidance/recommended/supplemental/practice-guides/practice-guide-integrated-approaches-to-internal-auditing/Some leading organizations elevate the position of chief information security officer(CISO)in the governance structure
144、so that it is easier to pool knowledge,share recommendations,and raise issues.“If the CISO feels there is exposure and the chief information officer refuses to address it,it is critical he or she has the independence to go directly to the CAE or audit committee to be heard,”said Karen Percent,a heal
145、thcare industry CAE.Most CAEs at the roundtable said they were strengthening training and awareness to combat continuous developments in malware and social engineering hacks.They get everyone from the CEO down to entry-level staff to participate in ongoing,faux phishing attacks that incorporate rece
146、nt hacking methodologies,with extra effort where weaknesses have been identified.Setting the tone at the top and making that visible makes a difference.Organizations are running through extensive hacking,defense,and recovery scenarios to ensure the executive team and board are ready for strategic de
147、cision making if a ransomware attack occurs.This is combined with the use of ethical hackers to test online and operational defense controls.“You are going to get hacked it is going to happen,”said an academic from a leading U.S.business school,“so the key focus for the board today is to detect and
148、correct.”Collaboration is key to success Most crucially,collaboration across the entire enterprise is key.Cybersecurity and data security issues are not located in just one part of a business;they are ubiquitous.That means risks,controls,and mitigations also impact multiple business functions.Ada Le
149、ung,vice president and CAE at Fidelity in Canada,said that moving to an integrated assurance model7 has helped her internal audit department identify and focus on higher risk areas.In addition,migrating to an enterprise-wide technology platform meant that the business was able to employ a single ris
150、k taxonomy one language across its three lines for IT another plus.“Just as a business cannot do things in silos successfully,neither can internal audit,”she said.“Building good,trusted partnerships is the key to everything we do being flexible,agile,and listening and collaborating with your busines
151、s partners is essential.”CYBERSECURITY“Building good,trusted partnership is the key to everything we do being flexible,agile,and listening and collaborating with your business partners is essential.”ContentsExecutive summary North America MethodologySurvey results:Global Survey results:North America
152、Cybersecurity:Team building for cyber resilienceHuman capital:Negotiating the culture clashMarket changes:Adding value with strategic involvementBusiness continuity:Building resilience in complexityInterconnected risks:Geopolitical uncertainty,supply chain,and regulatory changeFuture expectations:Pr
153、essure grows from digital disruption and climate changePAGE 24 OF 49CYBERSECURITYThat also includes listening to staff and watching for potential weak points.Routines that make peoples daily jobs difficult,such as clumsy virtual networks,may be circumvented,creating cyber risk control flash points.M
154、anagement may try to implement solutions outside of IT oversight,creating a“shadow IT”that is ripe for hacking.One solution is to centralize governance processes for cybersecurity in IT departments and away from management so that IT has full visibility into all technology usage.CAEs at the roundtab
155、le said key internal audit assignments have included:n Collating IT asset management inventories so that patch programs cover the entire enterprise.n Assessing cybersecurity maturity of the whole enterprise to create a gap analysis of the controls environment.n Auditing enterprise-wide risk manageme
156、nt to test how complete and effective it is for cybersecurity.n Collaborating with IT and risk management on creating continuous controls monitoring for both cyber defense and operational controls.In three years time,survey respondents expect that cybersecurity will still be at the top of the list f
157、or risk levels and audit effort.With developing technologies,such as artificial intelligence,coming on stream over that time,and the tensions between the U.S.and China over Taiwan,the risk landscape is only likely to become more complex and potentially more dangerous.Management may try to implement
158、solutions outside of IT oversight,creating a“shadow IT”that is ripe for hacking.ContentsExecutive summary North America MethodologySurvey results:Global Survey results:North AmericaCybersecurity:Team building for cyber resilienceHuman capital:Negotiating the culture clashMarket changes:Adding value
159、with strategic involvementBusiness continuity:Building resilience in complexityInterconnected risks:Geopolitical uncertainty,supply chain,and regulatory changeFuture expectations:Pressure grows from digital disruption and climate changeAssess the level of awareness,knowledge,and skills in key parts
160、of the business,including the board,to ensure that cyber defense responses are relevant and up to date.Evaluate the reporting lines between the CISO,the CIO,and the board to ensure risks and recommendations are communicated clearly and can be escalated to the highest level when necessary.Assess the
161、frequency,timeliness,and effectiveness of faux phishing campaigns and other awareness raising activities and the levels of staff engagement,as well as how well-integrated they are with training and follow-up processes.Use scenario run-throughs to both educate the board on their governance responsibi
162、lities and to test that mitigation processes are complete and effective.Evaluate the effectiveness of the controls environment and how well controls are embedded into the first and second lines,paying particular attention to those practices that staff find disruptive or intrusive and are likely to i
163、gnore,forget,or circumvent.Evaluate the governance processes around shadow IT and whether it is appropriate for first and second lines to own those technologies and their associated controls.Assess how well the organizations governance structure enables collaboration across the three lines.Assess ho
164、w well the organization keeps abreast of global developments in cybersecurity and technology regulations reach and how readily data controls can be changed to meet future requirements.CYBERSECURITY1.How internal audit can help the organization2.3.4.5.7.8.6.PAGE 25 OF 49ContentsExecutive summary Nort
165、h America MethodologySurvey results:Global Survey results:North AmericaCybersecurity:Team building for cyber resilienceHuman capital:Negotiating the culture clashMarket changes:Adding value with strategic involvementBusiness continuity:Building resilience in complexityInterconnected risks:Geopolitic
166、al uncertainty,supply chain,and regulatory changeFuture expectations:Pressure grows from digital disruption and climate changeHUMAN CAPITALNegotiating the culture clash At a time of acute skills and talent shortages,CAEs are helping organizations to diversify work practices,recruitment,and retention
167、 strategies.PAGE 26 OF 49Survey Results Human CapitalHuman capital risk cuts across every strategic and operational area of a business.Without the right people,organizations cannot function effectively either to achieve goals,or to identify,manage,and mitigate key risks.Because of trends such as dig
168、italization and complex emerging risks such as climate change,organizations require a broader and deeper spectrum of expertise across a wider range of areas.But they face critical shortages in essential skills.In cybersecurity alone,one study put the number of unfilled posts in the U.S.at 750,000.8
169、Accelerated by the pandemic,changes to the culture of work have hit hard in North America.The so-called Great Resignation a process that saw millions of experienced senior workers quit work as lockdowns triggered a re-evaluation of personal priorities continues.About 4 million people(2.6%of the U.S.
170、workforce)left their posts in October 2022 alone.9 In addition,many younger people have fallen out of love with the traditional values and corporate work culture.Not only do most insist on flexible employment practices including hybrid working but an increasing number value being part of purpose-dri
171、ven enterprises.108 For more about cyber staff shortages,see https:/ 9 For more about the Great Resignation,see https:/www.weforum.org/agenda/2023/01/us-workers-jobs-quit/10 For more about hybrid work,see https:/ more about work values,see https:/ it as a top 5 for audit effort65%ranked it as a top
172、5 for risk level8TH AUDIT EFFORT2ND RISK LEVELContentsExecutive summary North America MethodologySurvey results:Global Survey results:North AmericaCybersecurity:Team building for cyber resilienceHuman capital:Negotiating the culture clashMarket changes:Adding value with strategic involvementBusiness
173、 continuity:Building resilience in complexityInterconnected risks:Geopolitical uncertainty,supply chain,and regulatory changeFuture expectations:Pressure grows from digital disruption and climate changePAGE 27 OF 4911 For more about the finance industry DEI Code,see https:/www.cfainstitute.org/en/ab
174、out/press-releases/2023/dei-code-100-signatories-milestoneCreating a well-resourced and flexible organizational response is a number-one boardroom priority,CAEs at the roundtable agreed.But that has been made more difficult because of the need to cut costs and fight upward wage demands in an environ
175、ment that has suffered from inflationary pressures.At the same time,staff are pushing employers to strengthen their diversity,equity,and inclusion(DEI)policies in the workplace.That has seen more firms signing up to voluntarily practice codes proving that they take cultural transformation seriously.
176、In February 2023,more than 100 finance industry organizations across the U.S.and Canada signed up for the industrys voluntary DEI Code.11Middle management sets the tone for hybrid work But not all senior executives are in tune with hybrid work trends.“Some board members are questioning why we are st
177、ill hybrid when everybody seems to be returning back to the office,”said a CAE in the U.S.public sector.“But hybrid is a key option for us because it helps us attract and retain talent.”Adopting hybrid working styles is a popular strategy but it is not without risk.First,without experiencing real-ti
178、me,in-person events in the workplace,there are fewer opportunities to develop and coach younger staff,said a CAE at a North American professional services firm.As a result,it takes longer for her hires to absorb the values and culture of the business,especially in more distributed organizations.Seco
179、nd,critical soft skills may be less developed in recently graduated joiners many of whom completed their college years in front of computer screens as higher education went into lockdown.Interestingly,some of those who experienced online-only higher education want to work onsite.Balancing such confl
180、icting preferences is crucial for attracting and retaining staff,CAEs agreed.Few companies have fully redefined their work processes in the post-pandemic era.Rather than new cultural HUMAN CAPITAL expectations being set by the board,culture is more likely to be defined by middle management out of ne
181、cessity,said Brian Tremblay,CAE at 1stDibs.“Corporate culture is defined by the tone in the middle,where managers make decisions for the benefit of their people,which may or may not align to the organizations values,”he said.CAEs can help by providing boards with awareness about differences in work
182、practices across business units so that boards are more in tune with culture realities.ResourcesTalent Management:Recruiting,Developing,Motivating,and Retaining Great Team Members (The IIA)Cultivating a Healthy Culture(Chartered Institute of Internal Auditors)2023 Organizational Culture and Ethics R
183、eport(AuditBoard)ContentsExecutive summary North America MethodologySurvey results:Global Survey results:North AmericaCybersecurity:Team building for cyber resilienceHuman capital:Negotiating the culture clashMarket changes:Adding value with strategic involvementBusiness continuity:Building resilien
184、ce in complexityInterconnected risks:Geopolitical uncertainty,supply chain,and regulatory changeFuture expectations:Pressure grows from digital disruption and climate changePAGE 28 OF 4912 For more about the positive correlation between diversity and performance,see https:/hbr.org/2018/07/the-other-
185、diversity-dividend 13 For more about the statement on DEI,see https:/www.whitehouse.gov/briefing-room/presidential-ac-tions/2021/06/25/executive-order-on-diversity-equity-inclusion-and-accessibility-in-the-federal-workforce/14 For more about DiSC,see https:/ is more than skin deep A variety of resea
186、rch has shown a positive correlation between increased diversity and economic growth in both the general U.S.economy and in individual businesses.12 Many organizations have embraced those findings,as has the U.S.federal government,which is implementing new DEI requirements for federal bodies.13 Seve
187、ral CAEs at the roundtable said their boards expect their organizations to make extensive use of diversity and inclusion metrics.A CAE at a retail bank said her organization goes beyond tracking physical attributes and also considers diversity in thought,approach,and mindset.Some organizations use t
188、he DiSC personality test to better understand the working styles of their employees and maximize employee effectiveness.14 Yet while tracking diversity has benefits,caution must be taken to avoid triggering legal action if the statistics demonstrate that some groups have been discriminated against.L
189、ook for non-traditional signs of troubleAuditing policies,procedures,and the results of employee surveys are obvious internal audit assignments,but they can miss the less obvious signs of trouble.Internal audit can use thoughtful observations to pick up on less-tangible signals low morale,negative s
190、ocial media,messy breakrooms and explore whether these are signs of deeper cultural problems.HUMAN CAPITAL Collaborate to break down siloed recruitmentA CAE in the education industry echoed a growing sentiment when he said that he had stopped looking at internal audit as a silo within the organizati
191、on.Instead,he overhauled his departments human resources framework to drop the pretense that internal audit had to be a career for life and ensured that he collaborated with other departments to help improve overall staff retention since all areas of the business are suffering the same challenges.Se
192、veral CAEs at the roundtable said their boards expect their organizations to make extensive use of diversity and inclusion metrics.ContentsExecutive summary North America MethodologySurvey results:Global Survey results:North AmericaCybersecurity:Team building for cyber resilienceHuman capital:Negoti
193、ating the culture clashMarket changes:Adding value with strategic involvementBusiness continuity:Building resilience in complexityInterconnected risks:Geopolitical uncertainty,supply chain,and regulatory changeFuture expectations:Pressure grows from digital disruption and climate changePAGE 29 OF 49
194、HUMAN CAPITAL Boosting rotations from within the business,increasing the use of guest auditors for specific assignments,and openly discussing new applicants longer-term career choices helped ease pressure in the internal audit function.“Im playing the longer game by helping people stay at the busine
195、ss and benefit from an environment of learning,which seems to be working,”he said.Similarly,a CAE at a global analytics company said that his staff often make lateral moves within the organization as a result of having close contact with many business units.Despite the extra effort needed to backfil
196、l the internal audit positions,he believes the moves ultimately improve the overall risk maturity of the business.Capitalize on strengths for internal audit recruitingWhile CAEs said they were working to help organizations create the right culture to attract,train,and retain staff within their organ
197、izations,many are hampered by staff and skills shortages in their own audit functions particularly in smaller organizations and the public sector,where budget pressures can be intense.Although public sector organizations often struggle to offer competitive pay,they can emphasize their public service
198、 ethos to increase recruitment and retention,said Pamela Stroebel Powers,The IIAs director of professional guidance for the public sector.“Organizations must set performance expectations up front and make sure people understand how their job relates to the purpose of the organization because every s
199、ingle job in the organization should relate to that mission.”“Im playing the longer game by helping people stay at the business and benefit from an environment of learning.”ContentsExecutive summary North America MethodologySurvey results:Global Survey results:North AmericaCybersecurity:Team buildin
200、g for cyber resilienceHuman capital:Negotiating the culture clashMarket changes:Adding value with strategic involvementBusiness continuity:Building resilience in complexityInterconnected risks:Geopolitical uncertainty,supply chain,and regulatory changeFuture expectations:Pressure grows from digital
201、disruption and climate changeEvaluate how well management has identified the potential emerging risks of hybrid working and has developed effective strategies and policies to mitigate those risks.Assess the varieties of corporate cultural practices throughout the business and communicate those to th
202、e board to feed into decision making and policy setting.Assess the use of formal diversity metrics and their effectiveness in monitoring diversity and inclusion policies,including whether they consider diversity of thought and mind.Develop strategies to use personal interactions with audit clients t
203、o identify intangible signs that cultural problems may be brewing and capture those observations for follow up and remediation.Evaluate whether the organizations human resources framework aims to attract and retain talent within the enterprise rather than within individual silos and that career prog
204、ress paths are well-structured and clearly communicated.Assess whether the organizations broader purpose is well-defined and communicated throughout the enterprise,including in human resources strategies for attracting and retaining staff.HUMAN CAPITAL1.How internal audit can help the organization2.
205、3.4.5.6.PAGE 30 OF 49ContentsExecutive summary North America MethodologySurvey results:Global Survey results:North AmericaCybersecurity:Team building for cyber resilienceHuman capital:Negotiating the culture clashMarket changes:Adding value with strategic involvementBusiness continuity:Building resi
206、lience in complexityInterconnected risks:Geopolitical uncertainty,supply chain,and regulatory changeFuture expectations:Pressure grows from digital disruption and climate changeMARKET CHANGESAdding value with strategic involvement Markets are changing unpredictably,causing organizations to invest in
207、 digital strategies that are more responsive to fast-moving trends.CAEs are bringing together expertise across their businesses and acting as advisors on new initiatives to help those transformations.PAGE 31 OF 49Survey Results Market ChangesThe economy in North America has driven market changes,com
208、petition,and changing consumer behavior over the past year.At the beginning of 2022,the U.S.Federal Reserve turned its attention away from the pandemic to containing inflation,signaling the end of an era of historically cheap money.Business bankruptcies rose as pandemic help faded and customers cut
209、back spending in the face of higher prices.15 Inflation and a rising dollar made products manufactured in North America more expensive,squeezing domestic margins and pushing imports especially from China to pre-pandemic levels.16 In financial services,some banks collapsed partly because they failed
210、to manage interest rate risk.17 At the same time,organizations are adapting to longer-term trends in digital consumerism.Young people have transformed the way consumers interact with organizations from shopping and service use to activism and public criticism.In a less loyal,more socially connected
211、marketplace,reputations can crash and trigger bank runs in a matter of hours.15 For more about U.S.bankruptcy metrics,see https:/ 16 For more about global trade,see https:/ For more about bank failures,see https:/ it as a top 5 for audit effort41%ranked it as a top 5 for risk level13TH AUDIT EFFORT4
212、TH RISK LEVELContentsExecutive summary North America MethodologySurvey results:Global Survey results:North AmericaCybersecurity:Team building for cyber resilienceHuman capital:Negotiating the culture clashMarket changes:Adding value with strategic involvementBusiness continuity:Building resilience i
213、n complexityInterconnected risks:Geopolitical uncertainty,supply chain,and regulatory changeFuture expectations:Pressure grows from digital disruption and climate changePAGE 32 OF 49Early involvement prevents future problems Rapidly investing in the technology to deliver products and services is oft
214、en essential to keep up with the market,CAEs at the roundtable said.But doing so increases exposure to other threats,including cybersecurity for new and untried systems and supply chain risk where services move to the cloud or change their operating structure.That is why it is critical for CAEs to b
215、e involved at the implementation stage as advisors,said Ada Leung,vice president and CAE at Fidelity in Canada.“It is no longer enough to come back three years after a project has been launched and make sure the controls were good.Nowadays,we are collaborating and partnering with the partners to pro
216、vide assurance of design controls prior to implementation.It is a much safer,cheaper,and more effective approach.”But devising an audit plan for a digitally transforming organization is challenging.“CAEs must be clued into organizational strategies,which means not conducting static risk assessments
217、nor having an event-based audit plan that is inflexible,”said Harold Silverman,The IIAs senior director of CAE and corporate governance engagement.“Emerging technologies,market changes are dynamic risk events in themselves so CAEs must constantly be alert to re-evaluate what they are auditing and ho
218、w.”Rather than simply focusing on separate engagements,Silverman said CAEs must update their audit assignments regularly to include those new elements in the audit departments planned work schedule.MARKET CHANGES That makes sense,first,because risks related to market changes are often embedded in ot
219、her types of threat,for example,liquidity and financial risk.Second,incorporating market risks into the planned work schedule may enable a CAE to cover that risk without needing to broach it with a reluctant audit committee even though upward education in risk is an important function of the CAE.Fin
220、ally,it prevents the internal audit department from neglecting upcoming threats due to an out-of-date audit plan or slow methodologies that do not suit the risk category,he said.“Market changes are dynamic risk events in themselves,so CAEs must constantly be alert to re-evaluate what they are auditi
221、ng and how.”ContentsExecutive summary North America MethodologySurvey results:Global Survey results:North AmericaCybersecurity:Team building for cyber resilienceHuman capital:Negotiating the culture clashMarket changes:Adding value with strategic involvementBusiness continuity:Building resilience in
222、 complexityInterconnected risks:Geopolitical uncertainty,supply chain,and regulatory changeFuture expectations:Pressure grows from digital disruption and climate changePAGE 33 OF 49Calculate the costs of market risks Organizations need to do more than just identify market risks;they should calculate
223、 accurate and specific information about financial impacts,said a CAE at a non-profit healthcare organization.“My goal is to get to What is our unmitigated risk in dollar terms?in a way that our executive leadership team can decide which strategic initiatives we are going to pursue or not pursue.”Ay
224、aka Mitsunari,internal audit director/risk architect for delivery at Uber,said her team reviews governance processes,strategy,and operating structures to assess whether the business is able to respond effectively to market challenges.For example,internal audit asks,“How is management measuring the s
225、tickiness of the product?Do they have the right processes to be able to adapt quickly and innovatively?”she said.Bring in experts when neededGiven the interconnected nature of the risk and its mitigation strategies,collaborating across the business by tapping into sources of knowledge is key to succ
226、ess.“With accelerated change in markets and customer trends,the future for internal audit and risk management professionals is to be able to partner with senior management on addressing a risk six months from now that you probably have not identified yet.You are going to have to pivot and be flexibl
227、e,”said a leading academic at the roundtable.“We do not have all the answers in these emerging areas,so we need to be humble,learn,and be attuned to those risk areas where we need to bring in experts if there is a deficiency in the business,”Nancy Russell,CAE at Canada Life.“That could rub against e
228、xecutive egos,but it is important to encourage them to be transparent with the board where solutions do not exist and be open to bringing in help where needed.”To build business knowledge,CAEs at the roundtable said they strive to hire from a more diverse cohort of staff,especially those with busine
229、ss acumen and experience although current skills and talent shortages makes that task difficult.To expand internal audits range and depth of skills,they also said they focused on boosting certification and training,as well as rotating people through the department and making use of guest auditors on
230、 technical issues.MARKET CHANGES ContentsExecutive summary North America MethodologySurvey results:Global Survey results:North AmericaCybersecurity:Team building for cyber resilienceHuman capital:Negotiating the culture clashMarket changes:Adding value with strategic involvementBusiness continuity:B
231、uilding resilience in complexityInterconnected risks:Geopolitical uncertainty,supply chain,and regulatory changeFuture expectations:Pressure grows from digital disruption and climate changeEvaluate the organizations risk management to see if there are adequate horizon-scanning processes to track eme
232、rging market trends and use them for strategic decision making.Provide input on market-driven technology projects at the implementation stage to ensure risks are prop-erly assessed and mitigated.Assess how effectively risks from market changes,competition,and consumer behavior are quantified in mone
233、tary terms and used in decision-making processes.Assess how well the overall governance processes in the business are responsive to market changes and able to pivot to take advantage of new opportunities.Evaluate the organizations human resources strate-gies to ensure that key skills and expertise r
234、elating to future risks and opportunities are identified includ-ing in the internal audit department and recruited for in a timely way.MARKET CHANGES 1.How internal audit can help the organization2.3.4.5.PAGE 34 OF 49ContentsExecutive summary North America MethodologySurvey results:Global Survey res
235、ults:North AmericaCybersecurity:Team building for cyber resilienceHuman capital:Negotiating the culture clashMarket changes:Adding value with strategic involvementBusiness continuity:Building resilience in complexityInterconnected risks:Geopolitical uncertainty,supply chain,and regulatory changeFutu
236、re expectations:Pressure grows from digital disruption and climate changeBUSINESS CONTINUITY Building resilience in complexity If boards tended to under-prioritize business continuity plans before the pandemic,that is no longer the case.High-profile cyber breaches,extreme weather events,and rising g
237、eopolitical tensions particularly between the U.S.and China continue to keep the topic on the agenda.PAGE 35 OF 49Survey Results Business ContinuityIn fact,business continuity,operational resilience,crisis management,and disaster recovery are often not seen as risks in themselves,but as a response t
238、o a wide range of potential interruption to the business.“For the systemic risks we face and threats such as supply chain disruption and vendor resiliency,we feel like the answer to all these different things is having a business continuity plan,”commented a CAE from a U.S.manufacturer.Event-based p
239、lanning is too narrow The experience of the pandemic and the rapid macroeconomic changes that have driven up inflation and interest rates has not only made it a boardroom imperative to better prepare organizations for the future,but also altered the way businesses think about operational resilience.
240、53%ranked it as a top 5 for audit effort36%ranked it as a top 5 for risk level3RD AUDIT EFFORT5TH RISK LEVELContentsExecutive summary North America MethodologySurvey results:Global Survey results:North AmericaCybersecurity:Team building for cyber resilienceHuman capital:Negotiating the culture clash
241、Market changes:Adding value with strategic involvementBusiness continuity:Building resilience in complexityInterconnected risks:Geopolitical uncertainty,supply chain,and regulatory changeFuture expectations:Pressure grows from digital disruption and climate changePAGE 36 OF 49In particular,CAEs at t
242、he roundtable agreed that the pandemic mostly overwhelmed those business continuity plans that did exist because of the scale and complexity of the event.Public sector bodies,for example,had to distribute government aid immediately without fraud controls in place.In addition,suppliers,partners,and c
243、ustomers were equally affected so that business continuity plans often failed to account for disruption to those organizations they would normally turn to for support.“My organization had done a lot of disaster preparedness and planning for local disasters,but this hit everyone all at once,so organi
244、zations were not prepared for cross-functional,cross-jurisdictional emergencies of such magnitude,”said Pamela Stroebel Powers,director of professional guidance for the public sector at The IIA.Organizations have learned that rapid,unpredictable knock-on risks are a core feature of systemic risks.Th
245、at means that disasters that are systemic rather than triggered by a single event,like a storm fundamentally alter the way that risk can be managed and mitigated during a crisis.Organizations must plan for both event-based and non-traditional,broad-scope crises.Shannon Urban,vice president and CAE a
246、t Hasbro,said her business extended its enterprise risk program to include both types of risk and internal audit ensures they are included,monitored,and that disaster recovery plans are in place.In addition,disaster recovery plans go through regular desktop exercises,where internal audit provides a
247、critical voice so that any weaknesses are proactively identified and tackled.Detailed risk assessments need deeper collaboration Given that macroeconomic and geopolitical uncertainty,changes in market behavior,climate change events,and cybersecurity risk share similar characteristics of speed,scale,
248、and complexity,organizations are redrawing the parameters of their disaster response plans and focusing more on BUSINESS CONTINUITY organizational resilience.Some CAEs at the roundtable said they felt they were currently in permanent crisis mode,but with limited resources.In some sectors,regulators
249、are pushing for organizations to take a longer-term view of their viability.Organizations must plan for both event-based and non-traditional,broad-scope crises.ContentsExecutive summary North America MethodologySurvey results:Global Survey results:North AmericaCybersecurity:Team building for cyber r
250、esilienceHuman capital:Negotiating the culture clashMarket changes:Adding value with strategic involvementBusiness continuity:Building resilience in complexityInterconnected risks:Geopolitical uncertainty,supply chain,and regulatory changeFuture expectations:Pressure grows from digital disruption an
251、d climate changePAGE 37 OF 49“Although the rate of change feels fast now,this is probably the slowest time we will ever operate in as developments such as AI will accelerate faster,”said Nancy Russell,CAE at Canada Life.“We need to find out what we and the regulators are comfortable with and what op
252、erational resilience means in practice and because of the dynamics of change in the organization,we have to become comfortable with being uncomfortable as well.”As part of those efforts,organizations must recalibrate risk assessments to creatively connect apparently unrelated or unexpected threats t
253、hat could combine to interrupt the business.For example,a CAE at a U.S.technology company said 80%of his businesss chip-manufacturing capacity was based in Taiwan,which is under potential threat from China.He had been using tabletop scenario-planning to build up an accurate picture of how the compan
254、y could pivot to meet customer demand in light of possible war,sanctions,or supply chain disruption.“Having continuity plans and resiliency practices in place to either react to or prepare in advance has really helped focus the board about resilience at a strategic level,”he said.Building rich detai
255、l into such scenarios is critical because the mitigations that arise as a consequence of dealing with threats can themselves create second and third order risks that need to be mitigated but that entails collaborating more deeply with management on what can go wrong.“We have made our risk assessment
256、 meetings bigger when it comes to crises because it helps management really prepare for longer-term issues,”a CAE at a higher education establishment said.Without working together to build such granular,data-driven plans,organizations will flounder when disaster strikes.“It is more important than ev
257、er to meet managers face to face and take the pulse of what keeps them up at night,as well as share what internal audit is monitoring,”Hasbros Urban said.“Nine times out of ten,you do not need a formal audit to drive change you just need to convince the right people that the problem is really someth
258、ing they should be thinking about.”BUSINESS CONTINUITY CAEs at the roundtable said they also supported the robustness of risk assessments,governance structures,and relevance of business continuity plans,as well as testing whether the resources are in place to carry out the plan should disaster strik
259、e.Many said they implemented a form of combined assurance for their business continuity planning,and some said they co-sourced with external experts and suppliers to make sure they had as few gaps as possible in the range of events covered and in their plans.ResourcesBusiness Continuity Management(T
260、he IIA)Navigating Geopolitical Risk(Chartered Institute of Internal Auditors)Auditing Third-Party Risk Management(The IIA)ContentsExecutive summary North America MethodologySurvey results:Global Survey results:North AmericaCybersecurity:Team building for cyber resilienceHuman capital:Negotiating the
261、 culture clashMarket changes:Adding value with strategic involvementBusiness continuity:Building resilience in complexityInterconnected risks:Geopolitical uncertainty,supply chain,and regulatory changeFuture expectations:Pressure grows from digital disruption and climate changePAGE 38 OF 49Planning
262、ahead to fill talent is key The complexity of such large-scale threats requires operational continuity planning based on high levels of expertise that businesses often do not have in the current human resources crisis human capital,diversity,and talent management and retention ranked as the second b
263、iggest threat in the survey.Key skills and talent are in short supply.Lean business models and automation have stripped out some of the resources needed for such detailed work,said CAEs at the roundtable.In addition,succession planning for key management posts is an emerging risk.It is common for ha
264、rd-to-fill,senior vacancies to be open for over a year,especially in areas such as IT and in many other specialties in smaller businesses and public sector organizations.“We are trying to do more and more with less,so we are unable to offer marketable salaries,”a CAE at one university said.“There is
265、 no succession plan in place for key roles and it is really impacting business continuity.”If those positions are not filled when an emergency arises,the business continuity plans will not work.Someone must be in place who will take responsibility and has practiced the response plan.Preparing for re
266、gulations on emerging risks that could disrupt the business or its supply chains,such as future U.S.-Chinese sanctions,require organizations to hire expertise in advance.The CAE at the Taiwan connected manufacturing business said that his company was shifting more to software development and needed
267、not only to hire for a strategic change of direction,but also to ensure the company had the regulatory expertise to feed into its business continuity planning exercises.Most CAEs at the roundtable said they were working to embed business continuity topics in all future internal audits although the t
268、wo biggest emerging risk areas digital disruption and climate change are both potentially business continuity issues that may demand more attention than expected.BUSINESS CONTINUITY ContentsExecutive summary North America MethodologySurvey results:Global Survey results:North AmericaCybersecurity:Tea
269、m building for cyber resilienceHuman capital:Negotiating the culture clashMarket changes:Adding value with strategic involvementBusiness continuity:Building resilience in complexityInterconnected risks:Geopolitical uncertainty,supply chain,and regulatory changeFuture expectations:Pressure grows from
270、 digital disruption and climate changeEvaluate how comprehensively the organizations enterprise risk management framework includes both event-based and large-scale disruptive risks.Compare regulatory requirements with the organizations risk appetite to establish a suitable strategy for business cont
271、inuity planning.Help identify second-order or third-order risks that may arise in complex risk scenarios or because of the negative impact of first-order risk mitigation steps in the business continuity plan.Review business continuity processes to ensure a wide range of voices and expertise contribu
272、tes to brainstorming and plan creation to foster a longer-term outlook.Support management by providing a critical independent voice at tabletop exercises to evaluate their completeness and to highlight where risk mitigation plans need additional resources or testing.Provide assurance that the resour
273、ces and personnel identified in disaster recovery and crisis management plans are in place and that the processes and controls that support those plans exist and work during real-time exercises.Evaluate the organizations human capital needs for effective business continuity planning,including the ex
274、istence of key personnel,expertise in emerging risk areas,and in the internal audit department.BUSINESS CONTINUITY 1.How internal audit can help the organization2.3.4.5.7.6.PAGE 39 OF 49ContentsExecutive summary North America MethodologySurvey results:Global Survey results:North AmericaCybersecurity
275、:Team building for cyber resilienceHuman capital:Negotiating the culture clashMarket changes:Adding value with strategic involvementBusiness continuity:Building resilience in complexityInterconnected risks:Geopolitical uncertainty,supply chain,and regulatory changeFuture expectations:Pressure grows
276、from digital disruption and climate changeINTERCONNECTED RISKS Geopolitical uncertainty,supply chain,and regulatory change Efforts to deal with the widespread impacts of emerging global risks are being hampered by increased regulatory requirements.CAEs are seeking better alignment with risk manageme
277、nt in complex areas such as supply chain disruption.PAGE 40 OF 49Engage in strategic planning discussions for geopolitical uncertainty CAEs at the roundtables said that many U.S.Fortune 100 companies had the risk of war on their radar.Influenced by the unexpected invasion of Ukraine by Russia in 202
278、2 and rising tensions with China,organizations have strengthened cybersecurity defenses and revisited risk assessments,mitigations,and scenario testing across a wide range of inter-related threats,they said.Yet,like many interconnected threats in this report,it would be a mistake to consider macroec
279、onomic and geopolitical risk simply as an individual risk category.If Brazil,Russia,India,China,and South Africa,for example,launched a much-discussed alternative global currency,it could,like other geopolitical decisions,be a key driver for a basket of associated risks that could hit North American
280、 businesses unpredictably,fast,and simultaneously across their whole enterprises.18 So,while this category ranked low in terms of audit time and effort,those efforts are most likely distributed in activities that may not be on the audit plan,such as stress testing,scenario analysis,and strategic adv
281、ice.A CAE from a leading North American global consultancy said:“There is a difference between what is auditable on your audit plan,versus what youre involved with in the organization,especially when you are in the strategic planning meetings.”He said that CAEs must act as strategic enablers for the
282、 board so that they can make informed,rapid decisions in such fast-moving but long-term risk scenarios.18 For more about BRICS currency,see https:/ is a difference between what is auditable on your audit plan,versus what youre involved with in the organization,especially when you are in the strategi
283、c planning meetings.”ContentsExecutive summary North America MethodologySurvey results:Global Survey results:North AmericaCybersecurity:Team building for cyber resilienceHuman capital:Negotiating the culture clashMarket changes:Adding value with strategic involvementBusiness continuity:Building resi
284、lience in complexityInterconnected risks:Geopolitical uncertainty,supply chain,and regulatory changeFuture expectations:Pressure grows from digital disruption and climate changePAGE 41 OF 49INTERCONNECTED RISKS Diversify the supply chain before crisis strikes While the pandemic exposed weaknesses to
285、 global supply chain networks as ports closed and trade flow stuttered,North America is still dependent on China for much of its manufacturing.In 2023,China produced 28.4%of global manufacturing output compared with 16.6%for the U.S.in dollars,$4 trillion and$1.8 trillion,respectively.19 Recent even
286、ts have highlighted that too many organizations suffer concentration risk among key suppliers.That may be one reason political rhetoric has switched from decoupling with China to the diversification and resilience of supply chains.20 The challenge is not simply one of finding a manufacturer in a dif
287、ferent location but,more crucially,it is to pivot the whole operational infrastructure to avoid potential logistical and quality issues.21 For example,when global toy and games company Hasbro began diversifying away from China several years ago,it needed to invest heavily across its entire operation
288、al infrastructure and with third-party partners.“You cant just pick up expertise for manufacturing high-quality products from a country that has been doing it for 50 years and transplant it into a country that has been doing it for 10,”said Shannon Urban,vice president and CAE at Hasbro.Partnering t
289、o train staff at suppliers and duplicating tooling in multiple locations has both smoothed the process and introduced extra resilience into the business.The initiative at Hasbro sat underneath a broader,management-run transformation program across the“You cant just pick up expertise for manufacturin
290、g high-quality products from a country that has been doing it for 50 years and transplant it into a country that has been doing it for 10.”whole supply chain infrastructure to strengthen resiliency throughout the business a major strategic project.Given that automation was a key component of the ini
291、tiative,internal audit engaged with the project to provide advice on the design of effective controls for those systems and redesigned processes and controls from the outset.This kind of work requires a different skillset from traditional internal audit,so Hasbro has invested in competency assessmen
292、t,training,and on-the-job coaching for the audit team.19 For more about U.S.Statistical Division analysis of manufacturing,see https:/ 20 For more about the statement on diversifying,see https:/ For more about the challenges of moving manufacturing,see https:/ summary North America MethodologySurvey
293、 results:Global Survey results:North AmericaCybersecurity:Team building for cyber resilienceHuman capital:Negotiating the culture clashMarket changes:Adding value with strategic involvementBusiness continuity:Building resilience in complexityInterconnected risks:Geopolitical uncertainty,supply chain
294、,and regulatory changeFuture expectations:Pressure grows from digital disruption and climate changePAGE 42 OF 49Seek alignment and help on conflicting risks CAEs at the roundtable agreed that regulation was complicating supply chain restructuring.The rise in expected risk for regulatory change is li
295、kely fueled by the proliferation of European-style data protection laws across North America.Unlike in Europe where the General Data Protection Regulation of 2018 is implemented with few changes by countries within the region,North American legislators have taken those concepts and enacted widely di
296、fferent rules from state to state,creating a patchwork of often-conflicting compliance requirements.22 “We have reached a situation where providing absolute assurance on data privacy laws is so cost prohibitive that it is basically impossible,”said Brian Tremblay,CAE at 1stDibs.He compared the curre
297、nt situation with data privacy to the early days of SOX compliance,where the area was so over-controlled that it soaked up too much internal audit effort.CAEs at the roundtable agreed that internal audits time is getting too divided to deal effectively with simultaneous emerging risks and burgeoning
298、 compliance.“Just as we are responding to these changes in consumer behavior and investing in technology,the pace of regulatory change at a federal and state level has gone berserk,”said a CAE in the healthcare industry.That pressure had made her organization more reactive,she believes,pointing to o
299、ne reason that internal audit time is often being redirected to regulatory compliance.Aligning internal audit and risk management is critical,Tremblay said.Like many CAEs of publicly listed companies,he has responsibility for risk management.As part of the role,he helps define risk appetite and priv
300、acy policies as well as document how those decisions can provide better clarity on the organizations stance.Collaborating with IT to use enterprise-wide technology solutions to embed privacy controls must be a key strategy if internal auditors are not to be swamped with compliance-related work,he ad
301、ded.INTERCONNECTED RISKS 22 For more about the data privacy laws to be implemented in 2023,see https:/secureprivacy.ai/blog/2023-us-consumer-privacy-lawsContentsExecutive summary North America MethodologySurvey results:Global Survey results:North AmericaCybersecurity:Team building for cyber resilien
302、ceHuman capital:Negotiating the culture clashMarket changes:Adding value with strategic involvementBusiness continuity:Building resilience in complexityInterconnected risks:Geopolitical uncertainty,supply chain,and regulatory changeFuture expectations:Pressure grows from digital disruption and clima
303、te changeSupport the board in strategic planning to help enable risk-informed decision making on emerging and fast-moving geopolitical and economic risks.Assess the organizations processes to identify,assess,and build mitigation strategies for complex geopolitical risks and encourage them to pay att
304、ention to the interconnections between risk categories.Evaluate the organizations supply chain strategy,including whether it has adequately assessed the risks associated with in-country critical infrastructure when relocating regions.Assess the organizations relationship with critical suppliers and
305、evaluate the need for a more collaborative approach around training and capacity building.Evaluate the communication between risk management and internal audit to better align on emerging risks.Assess the maturity of the organizations automated controls systems to help reduce the burden of regulator
306、y compliance.INTERCONNECTED RISKS 1.How internal audit can help the organization2.3.4.5.6.PAGE 43 OF 49ContentsExecutive summary North America MethodologySurvey results:Global Survey results:North AmericaCybersecurity:Team building for cyber resilienceHuman capital:Negotiating the culture clashMarke
307、t changes:Adding value with strategic involvementBusiness continuity:Building resilience in complexityInterconnected risks:Geopolitical uncertainty,supply chain,and regulatory changeFuture expectations:Pressure grows from digital disruption and climate changeFUTURE EXPECTATIONS Pressure grows from d
308、igital disruption and climate change Two areas stood out dramatically for expected increases in risk and audit effort digital disruption and climate change.CAEs are helping their organizations better understand and manage such and helping to keep a strategic focus.PAGE 44 OF 49Survey Results Future
309、ExpectationsRapid developments in artificial intelligence in 2023 were highlighted by the huge media coverage of Open AIs algorithm ChatGPT,a program that creates written documents on request.23 Roundtable participants said they had been carefully experimenting with the program.“We have been using C
310、hatGPT just to pose questions,get some context,and write papers,”a CAE at a retail chain said.“We have even used it for some of the board narratives and write up,but with a lot of caution.”None relied on it completely for developing documents,but a CAE at a non-profit healthcare business said it had
311、 expedited his research and report writing.The attraction is obvious such technologies can improve productivity,competitiveness,and,at a time of higher production costs and a cost-of-living crisis,improve margins.But CAEs at the roundtable agreed users do not always understand potential risks,such a
312、s breaching data compliance laws or introducing bias into decision-making processes.Because such technologies are easy to download and use,keeping abreast of those risks is difficult.23 For more about ChatGPT,see https:/ rank increased from 15th TO 9thRisk rank increased from 9th TO 2ndCLIMATE CHANG
313、EDIGITAL DISRUPTIONContentsExecutive summary North America MethodologySurvey results:Global Survey results:North AmericaCybersecurity:Team building for cyber resilienceHuman capital:Negotiating the culture clashMarket changes:Adding value with strategic involvementBusiness continuity:Building resili
314、ence in complexityInterconnected risks:Geopolitical uncertainty,supply chain,and regulatory changeFuture expectations:Pressure grows from digital disruption and climate changePAGE 45 OF 49Audit emerging IT risk at the speed of technology “The key challenge for internal auditors is to ensure they aud
315、it at the speed of technology because disruptive technologies typically do not have the policies,procedures,methodologies,risk assessments,and mitigations that are in place for more established IT,”said Harold Silverman,The IIAs senior director of CAE and corporate governance engagement.This require
316、s not only being present with the right knowledge when such projects start within the business,but also hiring the right skills into the audit department.Getting a grip on data governance is key.Data governance can be hard to understand in fast-moving businesses,the focus group agreed.That has led s
317、ome organizations to break down their definitions of governance into more manageable chunks IP data governance,privacy-related data governance,and so on.Looking across different audits at these smaller topics can help,as can embedding data privacy controls into automated processes.Climate change ris
318、k reporting needs strategic view Having accurate data and reporting lines will be critical when businesses begin to tackle climate-related risks.Enhanced disclosure is in the pipeline from the SEC,with so-called large,accelerated filers(businesses with$700 million public flotation)having to file on
319、greenhouse gas emissions and other metrics from fiscal year ended 2023.24 Smaller companies begin filing in 2024.But North American businesses are less active in ResourcesAuditing Privacy Risks(The IIA)Harnessing Internal Audit Against Climate Change Risk(Chartered Institute of Internal Auditors)FUT
320、URE EXPECTATIONSthis area than other regions in the world.With so many pressing high-level risks on corporate agendas,CAEs need to tread carefully in order to educate the board and start conversations that will help them prepare.“CAEs should be open minded in terms of assessing risks related to ESG
321、topics and talking to executives and their boards about those risks,even from a strategic point of view,”says Richard Chambers,senior audit advisor at AuditBoard.“Instead of just talking about risk from a negative viewpoint,CAEs should be willing to have a conversation about what the potential advan
322、tages are to a greater ESG focus.”24 For more about SEC climate-related rules,see https:/www.sec.gov/files/33-11042-fact-sheet.pdf“Instead of just talking about risk from a negative viewpoint,CAEs should be willing to have a conversation about what the potential advantages are to a greater ESG focus
323、.”ContentsExecutive summary North America MethodologySurvey results:Global Survey results:North AmericaCybersecurity:Team building for cyber resilienceHuman capital:Negotiating the culture clashMarket changes:Adding value with strategic involvementBusiness continuity:Building resilience in complexit
324、yInterconnected risks:Geopolitical uncertainty,supply chain,and regulatory changeFuture expectations:Pressure grows from digital disruption and climate changeEngage with management on emerging technologies to provide risk and controls advice on the implementation of new systems.Evaluate how manageme
325、nt structures and thinks about data,including whether the data taxonomy is granular enough to identify and mitigate appropriate risks.Provide assurance that the business identifies core IT systems and processes that can be used to embed privacy and data controls to reduce the compliance burden acros
326、s the three lines.Evaluate the completeness and accuracy of data processes in the organization that relate to ESG issues,with particular attention to forthcoming regulatory compliance requirements on climate-related disclosures.Proactively broach ESG-related issues and other emerging risks with the
327、board,emphasizing the potential upsides of taking a proactive,early-adopter strategic position.FUTURE EXPECTATIONS1.How internal audit can help the organization2.3.4.5.PAGE 46 OF 49ContentsExecutive summary North America MethodologySurvey results:Global Survey results:North AmericaCybersecurity:Team
328、 building for cyber resilienceHuman capital:Negotiating the culture clashMarket changes:Adding value with strategic involvementBusiness continuity:Building resilience in complexityInterconnected risks:Geopolitical uncertainty,supply chain,and regulatory changeFuture expectations:Pressure grows from
329、digital disruption and climate changeACKNOWLEDGMENTSNorth America Report Development Team Project directors Laura LeBlanc Senior Director,Internal Audit Foundation Deborah Poulalion Senior Manager,Research and Insights,The IIA Emely Katz Director,Affiliate Engagement,The IIASurvey analysis and conte
330、nt development Deborah Poulalion Senior Manager,Research and Insights,The IIA Research writer Arthur Piper Smith de Wint,United KingdomGraphic designer Cathy Watanabe Roundtable moderator North America Harold Silverman Senior Director,CAE and Corporate Governance Engagement,The IIAFrench translation
331、 IIACanada North America Report Sponsor AuditBoardCover photo Nova Scotia,Canada,courtesy of Getty ImagesInternal Audit Foundation 202324 Board of Trustees President Warren W.Stippich Jr.,CIA,CRMA Senior Vice President Strategy Glenn Ho,CIA,CRMA Vice President Finance and Development Sarah Fedele,CI
332、A,CRMAVice President Content Yulia Gurman,CIATrustees Hossam El Shaffei,CCSA,CRMA Reyes Fuentes Ortea,CIA,CCSA,CRMA Nora Kelani,CIA,CRMA Shirley Livhuwani Machaba,CCSA,CRMA Raoul Mns,CIA,CCSA,CRMA Hiroshi Naka,CIA Anthony J.Pugliese,CIA Bhaskar SubramanianStaff liaison Laura LeBlanc Senior Director,
333、Internal Audit FoundationInternal Audit Foundation 202324 Committee of Research and Education Advisors Chair Yulia Gurman,CIAVice-Chair Jane Traub,CIA,CCSA,CRMAMembers Tonya Arnold-Tornquist,CIA,CRMA Christopher Calvin,CIA Jiin-Feng Chen,CIA Andre Domingos Christina Duquette,CRMA Marc Eulerich,CIA Dagmar Flores,CIA,CCSA,CRMA Anargul Kairulla,CIA Ayaka Mitsunari Ahmed Mohammed,CIA Grace Mubako,CIA