1、 2022 Gartner,Inc.and/or its affiliates.All rights reserved.Gartner is a registered trademark of Gartner,Inc.or its affiliates.This presentation,including all supporting materials,is proprietary to Gartner,Inc.and/or its affiliates and is for the sole internal use of the intended recipients.Because

2、this presentation may contain information that is confidential,proprietary or otherwise legally protected,it may not be further copied,distributed or publicly displayed without the express written permission of Gartner,Inc.or its affiliates.2023 Audit Plan Hot SpotsAudit Research TeamSample Report E

3、xcerptRESTRICTED DISTRIBUTION2 2022 Gartner,Inc.and/or its affiliates.All rights reserved.775503Table of ContentsObjectives3Executive Summary42023 Audit Plan Risk Areas(Excerpt)10Cyberthreats11IT Governance15Data Governance19Third-Party Risk Management23Appendix27RESTRICTED DISTRIBUTION3 2022 Gartne

4、r,Inc.and/or its affiliates.All rights reserved.775503ObjectivesOur Audit Plan Hot Spots series identifies and analyzes the key risk areas that audit departments anticipate focusing on during the next year.Our hot spots research enables audit departments to do the following:Benchmark Audit Plan Cove

5、rageCompare,validate and further examine audit plan coverage.Assess Key RisksDetermine appropriate questions to ask management during risk assessment and audit scoping.Drive Audit Team DiscussionsEnable audit teams discussions during audit engagement planning and scoping.Educate the Audit CommitteeE

6、ducate the audit committee on the current risk trends that affect global organizations.RESTRICTED DISTRIBUTION4 2022 Gartner,Inc.and/or its affiliates.All rights reserved.775503Executive SummaryEach year,we create our annual Audit Plan Hot Spots report by combining input from interviews and surveys

7、throughout our global network of client organizations as well as extensive secondary literature reviews.This report highlights current risks and trends in the business environment.It helps audit teams more effectively identify risks to the organization and highlight key risks for stakeholders.This y

8、ear,three themes underlie the 12 hot spots:The“Triple Squeeze”1Renationalization2Rethinking Resilience3RESTRICTED DISTRIBUTION5 2022 Gartner,Inc.and/or its affiliates.All rights reserved.775503Executive SummaryThe“Triple Squeeze”RenationalizationIn the past few years,the long trend toward globalized

9、 trade that accelerated when China and India joined global markets has reversed due to increased political populism and tension between global players.The supply chain issues caused by the COVID-19 pandemic further increased the need to onshore and“nearshore.”The Russian invasion of Ukraine amplifie

10、d this issue,dividing the world and leading to the need to also“friendshore.”Renationalization and the uprooting of long-held assumptions of being able to rely on a global,just-in-time market will have a long-lasting impact and will increase multipolarization and geopolitical assertiveness.This shif

11、t may lead to increased regionalization of trade markets and business conducted between organizations of friendlier states.In addition to the pure supply chain risk,we also see the impact in the following risk areas:First,renationalization is playing out in the arena of cyberthreats.Ninety-two perce

12、nt of organizations have either recently faced or expect to face a state-sponsored cyberattack,as most state-sponsored attacks target enterprises.This is often for monetary gain,such as North Korean crypto-related attacks,but given the onset of new Russia-NATO and China-U.S.tensions,there is an incr

13、eased threat of cyberattacks for retaliatory purposes.This heightened threat is also causing regulators to pay increased attention,driving new disclosure rules in the U.S.and the U.K.In terms of ESG(Environment,Social,Governance),the world is becoming divided as regulations and scrutiny increase.Wes

14、tern countries,and many Asian countries,are divided on the importance of ESG and the need to regulate it.Further,among Western countries,we have observed increasing divergence on how to standardize reporting requirements and regulations amid debates over where the focus should be.The EU,for example,

15、recently decided to put the S components on hold.We also see renationalization being a big issue for the use of data and data governance.With the use of artificial intelligence(AI)set to expand and the centrality of data to business models increasing generally,more and more countries are instituting

16、 more stringent data requirements(e.g.,data localization).Vastly different points of view are emerging on what AI and data risks,like those involving personal data,should be regulated.Opinions and forecasts are highly divided,but within the next 12 months,a recession is more likely to occur than not

17、.If a recession does happen,then it may be quite different from previous ones.It will include three compounding pressures that most executives have likely never experienced concurrently:persistent high inflation,scarce and expensive talent,and global supply constraints.The potential recession is als

18、o positioned to be a highly uneven one,with some regions,industries and companies likely performing stronger than ever while others struggle.These unusual characteristics might manifest in the following risks:Going forward,the main squeeze organizations will encounter is the overall upward cost pres

19、sure.Eighty-two percent of CEOs globally say they are facing upward price pressure for inputs,and more than half expect this to persist at least into mid-2023.Unusually and problematically,the upward pressure is on product inputs,talent costs as well as borrowing costs.In addition,tax codes are chan

20、ging,looking likely to significantly increase the tax burden.The most apparent squeeze during the past 12 months has been in supply chains.Driven by pent-up COVID-19 pressure,pandemic-induced lockdowns and misjudged forecasts,further exacerbated by the Russian invasion of Ukraine and energy costs,th

21、e delivery of products ranging from semiconductors to construction materials have been curtailed.In response,organizations are questioning their assumptions and looking to make their supply chains more resilient and more geopolitically stable.The final factor we observed over the past year,and are l

22、ikely to see going into 2023,is that of labor scarcity.Due to the“great resignation,”we have seen in the U.S.and other large markets an underlying trend of skills shortages in technology areas,as organizations struggle to fill jobs and forecast labor supply.This issue manifests in overall workforce

23、management risk,where organizations must weigh competing signals in forecasting talent needs.It also manifests specifically within IT.IT staffs low intent to stay in the organization and the heightened difficulty of recruiting IT talent are a threat to maintaining sufficient IT governance.RESTRICTED

24、 DISTRIBUTION6 2022 Gartner,Inc.and/or its affiliates.All rights reserved.775503Executive SummaryRethinking ResilienceThe third and final theme underlying this years hot spots is the need for organizations to rethink what resilience means for them,in the sense of increased fragility.Since the onset

25、of the COVID-19 pandemic and its consumer spending and supply chain effects,and then continuing through the Russian invasion of Ukraine and its macroeconomic and geopolitical effects,organizations are increasingly realizing their fragility and the need to implement new types of resilience measures a

26、nd increase their long-term thinking.Organizations find it increasingly clear that the pace of disruption and the frequency of disruptive events will not slow down,and that we are entering a new“never normal”era.This sense of fragility and the need to focus on resilience is apparent in the following

27、 risk areas:Environmental sustainability,for the first time,has entered the top 10 of CEO priorities.Increased climate degradation requires organizations to go beyond identifying assets that may become an operational risk or formulating a sustainability strategy.Organizations need to prepare for inc

28、reasingly frequent and extreme weather events and the potential loss of critical infrastructure.The external environment of macroeconomic volatility is not helping.With interest rates rising rapidly in most main markets,and a reverse currency war starting,organizations need to vastly increase the ra

29、nge of scenarios they plan for to effectively deal with a potential recession,volatile currencies and changes in global demand.Another source of fragility that is difficult to discern and mitigate is third-party risk management.Organizations reliance on ecosystems of third and nth parties,which has

30、become the norm in hyperoptimized supply chains and business operations,has not been tested against the current level of volatility.Due to geopolitical tensions and a more financially challenging environment,a potential recession can cause havoc if organizations are overly reliant on small third par

31、ties.Culture has been a very important source of resilience for many organizations for a long time.That resilience is now under threat,as organizational culture weakens from hybrid and remote work,leading to employee disconnectedness.This challenge is further aggravated by political and social divid

32、es that increasingly enter the organizational domain and dominate other cultural norms.Finally,what it all comes down to is the need for organizational resilience.Defined broadly,this means the ability of the organization to withstand shocks,both to operations and to business models,and persist in t

33、he long term in the face of unexpected disruptions.Fast-moving events,like geopolitical reprisals,may provide little warning before manifesting in several,interrelated risks,while the increased pace of change in the last two years strains organizations ability to respond to them.Rethinking Resilienc

34、eRESTRICTED DISTRIBUTION7 2022 Gartner,Inc.and/or its affiliates.All rights reserved.775503Executive SummaryHot SpotSummary2023 Drivers2022 DriversCyberthreatsHeightened scrutiny on cyber breach disclosures alongside sophisticated state-sponsored attacks makes cyberthreats a growing risk in 2023,inc

35、reasing organizations exposure to reputational,litigation and regulatory risk.1.State-Sponsored Cyberattacks2.Cyber Breach Disclosure Requirements1.Lapses in Security Controls2.Increased Employee Vulnerability to Social EngineeringIT GovernanceHigher use of ungoverned SaaS increases organizations ri

36、sk exposure,and an ongoing IT talent deficit further hinders enterprise agility and digital capability development.This issue leaves organizations exposed to enterprise growth and governance risks.1.Ungoverned SaaS2.IT Talent Shortage1.Rapid Adoption of New Technologies2.Access Management Challenges

37、Data GovernanceOrganizations increasingly employ AI with little formal oversight and the fragmented regulatory landscape highlights the need for organizations to improve governance over how they use and protect data assets.1.AI Governance2.Personal-Data-Related Regulatory Fragmentation1.Ineffective

38、Data and Analytics Organizational Models2.Insufficient Data-Sharing Enablement and ControlsThird-Party Risk ManagementA combination of new third-party ESG reporting requirements and increasing financial and operational constraints elevate the risk of reputational damage from third parties.Further,th

39、e current macroeconomic conditions that raise concerns about third parties financial viability may result in operational disruptions,high costs of switching vendors,and product quality and reliability issues for the organization.1.Third-Party Reputational Risk2.Third-Party Viability1.Limited Third-P

40、arty Risk Monitoring 2.Unsupervised Privileged AccessRESTRICTED DISTRIBUTION8 2022 Gartner,Inc.and/or its affiliates.All rights reserved.775503Executive SummaryHot SpotSummary2023 Drivers2022 DriversOrganizational ResilienceOrganizations ability to withstand crises and disruptions is evermore critic

41、al,as they are increasingly being tested.Each crisis reveals more areas of organizational fragility.1.Geopolitical Conflict2.Diminished Change Capacity1.Climate Degradation2.Regulatory Interest in Operational ResilienceEnvironmental,Social and Governance(ESG)Expanding and new ESG regulations and inc

42、reased stakeholder scrutiny mean organizations must build meaningful ESG policies into their strategies to follow all current regulations and avoid accusations of greenwashing.1.Expanded ESG Reporting Standards2.Increased Scrutiny of ESG Practices1.Increasing Capital Tied to ESG Performance2.Increas

43、ed Legal and Regulatory Action on ESGSupply ChainIncreasing geopolitical conflict,resulting in localization measures and logistical challenges across supply chains,has contributed to rising prices and diminishing ability to access critical materials.Organizations face the risk of declines in revenue

44、s,profitability,operational effectiveness and the ability to compete.1.Renationalization of Supply Chains2.Logistics Challenges Stemming From Chinas“Zero-COVID”Policy 1.Key Goods and Materials Shortages2.Logistics and Shipping ChallengesMacroeconomic VolatilityA global economic downturn and a sharp

45、rise in interest rates across the world increase risks to organizational assets and cash flows,threatening long-term financial performance and exacerbating an already highly uncertain operating and risk environment.1.Rising Interest Rates2.Currency Volatility1.Heightened Inflation Uncertainty2.Varia

46、nces in the Global Economic RecoveryRESTRICTED DISTRIBUTION9 2022 Gartner,Inc.and/or its affiliates.All rights reserved.775503Executive SummaryHot SpotSummary2023 Drivers2022 DriversWorkforce ManagementA combination of competitive labor markets with an expected cooling of economic growth fosters fur

47、ther uncertainty for organizations with regards to workforce management.With organizations undecided on their talent needs(in the case of a recession and the future of remote or hybrid work not yet fully determined),those who commit too quickly or too far face talent and business losses that are not

48、 easily reversible.1.Uncertain Talent Needs2.Uncertain Long-Term Effects of Hybrid Working Models1.Cultural Disconnects in a Hybrid Workforce 2.COVID-19 Workplace Management UncertaintyCost PressuresOrganizations are struggling with persistent cost pressures driven by an unyielding inflationary envi

49、ronment and an increase in regulatory complexity that has heightened the pressure on organizations to reduce costs and revisit their growth strategies.1.Persistent Inflation2.Changes to Tax RegimesNot a 2022 hot spotCultureOrganizations are increasingly expected to weigh in on social and political i

50、ssues as societal divisions spill over into the workplace and create potential rifts in organizational culture.At the same time,employees are experiencing high levels of disconnectedness from their organizations and co-workers,increasing exposure to risks from attrition to misconduct.1.Employee Disc

51、onnectedness2.Increasing Social and Political ExpectationsNot a 2022 hot spotClimate DegradationAs the long-term impacts of climate change begin to take hold,an increased recurrence of extreme weather events threaten business continuity and vulnerable critical infrastructure.1.Increased Recurrence a

52、nd Effects of Extreme Weather Events2.Vulnerable Critical InfrastructureNot a 2022 hot spotRESTRICTED DISTRIBUTION10 2022 Gartner,Inc.and/or its affiliates.All rights reserved.7755032023 Audit PlanHot SpotsRESTRICTED DISTRIBUTION11 2022 Gartner,Inc.and/or its affiliates.All rights reserved.775503Cyb

53、erthreatsState-sponsored cyberthreats and heightened scrutiny on attack disclosures make cyberthreats a growing risk in 2023.Year-over-year cyberattacks continue to evolve and increase.1Sixty-eight percent of organizations experienced at least one ransomware attack in 2021,65%experienced more than t

54、hree and 15%experienced 10.2Ninety-two percent of organizations say they faced or suspect they might have faced a state-sponsored cyber attack between July 2020 and December 2021,or expect to face one in the future.3Russias invasion of Ukraine and the resulting hostility between Ukraine-aligned stat

55、es and Russia could expose organizations to increased cyberthreats.4Further,increases in personal data breaches have led to new regulatory requirements,which many expect will have significant implications for organizations in cybersecurity reporting,disclosure and governance.5On top of the financial

56、 cost that a cyberattack can generate,organizations that fail to consider the effects of potential regulation on cyber disclosures may face fines,litigation risk and reputational damage.Confidence in Audits Ability to Provide Assurance Over Cybersecurity RiskPercentage of Respondentsn=111Source:2023

57、 Gartner Audit Key Priorities and Risks SurveyPlans to Cover Cybersecurity in Audit Activities in the Next 12-18 MonthsPercentage of Respondentsn=112Source:2023 Gartner Audit Key Priorities and Risks Survey42%Highly Confident2%Unconfident56%SomewhatConfident6%No ActivitiesCurrently Planned81%Definit

58、ely Will Be Coveredin Audit Activities13%Tentatively Will BeCovered in Audit ActivitiesRESTRICTED DISTRIBUTION12 2022 Gartner,Inc.and/or its affiliates.All rights reserved.775503CyberthreatsUrgency DriversKey Risk Indicators Mean time to incident detection Mean time to incident resolution Mean time

59、to recovery(MTTR)of compromised application Average time since last patching of systems and endpoints Number of“Shields Up”-type warnings by government agencies Percentage of applications with automated disaster recovery Frequency of backups and tests Volume of traffic originating from unknown IP ad

60、dresses Days since most recent comprehensive network security penetration test Percentage of network devices not meeting configuration standardsState-Sponsored CyberattacksState-sponsored cyberattacks against enterprises are already widespread,but attackers changing motivations could increase and wo

61、rsen them.6Some current attacks steal cryptocurrencies or other assets for revenue generation.7North Korea,for instance,allegedly stole nearly$400 million in digital assets in 2021.8Others exfiltrate intellectual property to support domestic industries.9U.S.authorities opened a China-related investi

62、gation every 12 hours in early 2022,many concerning cyber-based intellectual property theft.10Even before the Russian invasion of Ukraine,39%of organizations already believed that Russian state-sponsored actors targeted them.11Worse,Ukraine-aligned governments believe Russia could retaliate against

63、critical infrastructure and key economic institutions in an escalation of conflict.12State-sponsored attacks against these targets can be hard to prevent or detect due to their sophistication(e.g.,lingering in systems and using third parties as vectors).State-sponsored attacks consequences could ris

64、e substantially if the motive behind them becomes retaliation instead of profit.Cyber Breach Disclosure RequirementsSeveral new and proposed breach disclosure requirements raise the possibility that organizations may be forced to disclose reputationally damaging information about cyber capabilities

65、and conform to potentially burdensome disclosure standards.A new law in the U.S.requires critical infrastructure companies to report cyber incidents within 24 or 72 hours,depending on the event.13The U.S.Securities and Exchange Commission has proposed a further requirement for publicly listed compan

66、ies to report incidents within 96 hours.14In Australia,critical infrastructure operators must report critical and other cyber incidents within 12 or 72 hours,respectively.15The U.K.government has also advised legal bodies to consider disclosures of ransomware incidents involving personal data to aut

67、horities as a mitigating factor in deciding penalties.16Organizations worry these disclosure requirements might harm their reputations as responsible stewards of data or even lead to oversharing intellectual property or cybersecurity practices.17Breach disclosure requirements can now turn cyberthrea

68、ts into substantial regulatory risk for many organizations.RESTRICTED DISTRIBUTION13 2022 Gartner,Inc.and/or its affiliates.All rights reserved.775503CyberthreatsRecommendations for Audit Review Cyber-Risk Management Program and Processes:Review cybersecurity program definitions,framework,and the qu

69、ality and thoroughness of assessing risks,mitigations and controls.Review Information Security Threat Intelligence Practices:Evaluate the thoroughness and completeness of IT and information securitys practices around discovering emerging risks and threats.Assess Monitoring Practices:Examine how the

70、IT department performs monitoring of applications,databases,the network and other assets to detect any unusual activities,especially over assets that are operationally critical or sensitive data or information.Assess the Effectiveness of Escalation and Coordination in Incident Response:Evaluate curr

71、ent incident response plans to ensure effective and timely escalation,coordination and communication to concerned stakeholders.Review the Incident Response Plan:Assess how roles and responsibilities are defined to deal with cyber incidents.Test whether the individuals in question are fully aware of

72、their duties.Examine Existing Cybersecurity Reporting Capabilities:Evaluate the baseline for current cybersecurity reporting capabilities.This should include reporting capabilities for incidents and cyber-defense posture(e.g.,the boards cyber expertise,governance and oversight).RESTRICTED DISTRIBUTI

73、ON14 2022 Gartner,Inc.and/or its affiliates.All rights reserved.775503CyberthreatsQuestions for Management What indicators do we use to determine whether there is suspicious activity concerning our networks or assets?How often do you conduct mock-phishing tests to see how many employees click on sus

74、picious emails,and how do you analyze the results of those tests?What procedures are in place for educating the employees who click on the phishing test emails?When was the last time the organization carried out a cyber tabletop exercise?Who in the organization is responsible for responding to cyber

75、attacks and how?What are the highest sensitivity data or digital assets that could be used for extortion?What policies are in place to ensure that data is backed up as per risk assessments?Who is accountable for including regulatory considerations for new cybersecurity initiatives?Who is responsible

76、 for drafting cyber disclosures?How are cyber disclosures vetted?RESTRICTED DISTRIBUTION15 2022 Gartner,Inc.and/or its affiliates.All rights reserved.775503IT GovernanceAmid increasing pressures around executing digital business models,most organizations plan to increase IT investments.18Many organi

77、zations plan to improve enterprise agility,business resilience and data and analytics capabilities.19However,resourcing and governance challenges,such as the scalability of existing IT governance models,threaten these investments.With more technology spending led by business units themselves,with no

78、 or little IT oversight,69%of IT leaders cite“shadow IT”as a top security concern.20Another challenge for IT governance,in the wake of the COVID-19 pandemic,is strained capabilities.An acute scarcity of talent threatens ITs ability to implement new capabilities and maintain existing ones,including c

79、ontrols.21Organizations that fail to back digital business acceleration with investments in the IT department that increase its ability to oversee a growing,complex web of digital services may see digital bets pay off slowly,or expose the organization to governance risk as business units find their

80、own solutions to ITs lack of agility.22Confidence in Audits Ability to Provide Assurance Over IT Governance RiskPercentage of Respondentsn=111Source:2023 Gartner Audit Key Priorities and Risks SurveyPlans to Cover IT Governance in Audit Activities in the Next 12-18 MonthsPercentage of Respondents55%

81、Highly Confident1%Unconfident44%SomewhatConfident6%No ActivitiesCurrently Planned63%Definitely Will Be Coveredin Audit Activities30%Tentatively Will BeCovered in Audit Activitiesn=112Source:2023 Gartner Audit Key Priorities and Risks SurveyNote:Totals might not sum to 100%due to rounding.RESTRICTED

82、DISTRIBUTION16 2022 Gartner,Inc.and/or its affiliates.All rights reserved.775503IT GovernanceUrgency DriversKey Risk Indicators Number of uses of unauthorized software or services discovered by IT monitoring tools Incidents of data sharing between authorized and unauthorized software and services di

83、scovered by IT monitoring tools Percentage of approved applications monitored by cloud access security broker and other tools Growth or decline in number of privileged accounts for SaaS services Percentage of new hires in areas identified as IT skills gaps Percentage of new certifications in areas i

84、dentified as IT skills gaps Retention rates of employees in key IT roles Training hours per IT employee Offers for IT roles accepted as a percentage of offers extended Trends in average time to fill a vacant IT position over a specific periodUngoverned SaaSAs software as a service(SaaS)covers larger

85、 segments of business activity and becomes easier to procure,globally,spending on SaaS is expected to increase over 17%though 2023.23SaaS providers often market their products directly to business units.The products ease of use often operating over internet browsers and offered in“freemium”versions

86、make them simple for individuals in business units to adopt without ITs involvement.Fifty-nine percent of U.K.organizations believe they have incomplete knowledge of their employees usage of SaaS.24About the same number of U.S.and Canadian organizations acknowledge related management concerns.25Depl

87、oying these applications and platforms can include unexpected costs,performance issues(e.g.,service availability),data recoverability challenges and compliance issues.26Furthermore,if a“shadow”SaaS becomes critical to business units,IT departments may find themselves unable to integrate it with othe

88、r IT services later,potentially harming IT agility.Amid a period of fast business evolution,organizations that fail to provide for both agility and governance in SaaS may find themselves with governance challenges that are difficult to address retroactively.IT Talent ShortageWhile strategies increas

89、ingly rely on IT capabilities,IT departments struggle to retain highly skilled employees and upskill their current workforces.27Fifty-three percent of IT leaders say the IT talent shortage is a critical challenge following a record year of attrition in 2021.28The skills necessary for IT transformati

90、on,such as cloud and agile development,are among the hardest for which to hire in the global talent market.29Just retaining IT talent is challenging.Only 32%of IT workers highly intend to stay with their current organizations.30Upskilling existing IT employees is a perennial challenge further exacer

91、bated by the COVID-19 eras pace of change.Only 52%of organizations have implemented IT upskilling programs,with around half citing lack of time and budget as barriers.31As organizations look to IT to support digital capabilities that enable enterprise agility amid dynamic business plans,shortages of

92、 key IT skills may be a primary bottleneck.RESTRICTED DISTRIBUTION17 2022 Gartner,Inc.and/or its affiliates.All rights reserved.775503IT GovernanceRecommendations for Audit Assess How the Organization Monitors for Unauthorized Software Use:Determine the methodologies,procedures and technologies(espe

93、cially cloud access security broker tools)in place for monitoring the network for unauthorized software and unauthorized interfacing between authorized and unauthorized software.Review Information Security Policies and Training:Review information security policies to be sure they explicitly preclude

94、 unauthorized software use and that effective training exists to make employees aware of this prohibition.Assess organizational procedures for requesting new software for business purposes and how they are communicated to business units.Review Organizational SaaS Governance Structures:Review SaaS go

95、vernance measures in the organization and determine the level of SaaS oversight the IT department has.Ensure the organization has a written directive regarding SaaS ownership to specify governance rules and enforcement.Review IT Talent Assessments:Determine if IT and business units have targeted ass

96、essments of IT and technical talent skills and potential gaps.This review should include how the core competencies and skills needed to meet security and other IT objectives are defined.Review assessments to be sure they consider both short-and long-term business needs.Conduct Ongoing IT Talent Moni

97、toring and Tracking:Review progress on proposed workforce plans and IT talent risk-mitigation strategies.Assess whether plans are adequately updated as business priorities and organizational needs change.Communicate progress to management to drive urgency and accountability.RESTRICTED DISTRIBUTION18

98、 2022 Gartner,Inc.and/or its affiliates.All rights reserved.775503IT GovernanceQuestions for Management How does the IT department monitor the use of potentially unauthorized software in the network or unauthorized interfaces between enterprise data and unapproved applications(e.g.,CASB,SaaS monitor

99、ing tools)?How would the IT department respond if it learned that employees were regularly using an unapproved application or service for business purposes?How would the IT department respond if it learned that employees had exported data to an unapproved application or service?What processes exist

100、for the IT department to vet business-led IT subscriptions and investments?How are you ensuring cross-silo collaboration when implementing and scaling IT investments?What IT skills do we currently lack that are critical to present operations?Which technical skills are needed by the business to reach

101、 its long-term goals?How do you attract and retain talent with key technical skills?How have you adjusted your recruiting efforts to better attract technical talent?What metrics are in place to track the quality and efficacy of IT upskilling programs?RESTRICTED DISTRIBUTION19 2022 Gartner,Inc.and/or

102、 its affiliates.All rights reserved.775503Data GovernanceWith digital business models increasingly reliant on analyzing customer preferences and behaviors,organizations collect more data subject to legal,regulatory and ethical concerns every year.32Artificial intelligence(AI)long largely an experime

103、nt in the business context is set to become a common means of harnessing such data,with the amount of organizations deploying AI set to approximately triple in the next three years.33AI is now learning customer habits,directing data campaigns and changing organizational decision making.34However,the

104、 way AI algorithms operate,or other key aspects of AI use,may go ungoverned,with organizations often unaware of AI capabilities or even that services in their IT environments incorporate AI.35Regulators,too,are in a constant state of catch-up when it comes to data and privacy trends,like AI.The resu

105、lt is an increasingly fragmented regulatory landscape that produces disparate data requirements,making compliance between jurisdictions expensive and time-consuming.Organizations that fail to govern their emerging data practices risk a wide range of consequences amid an increasingly fragmented regul

106、atory environment.Confidence in Audits Ability to Provide Assurance Over Data Governance RiskPercentage of Respondentsn=111Source:2023 Gartner Audit Key Priorities and Risks SurveyNote:Totals might not sum to 100%due to rounding.Plans to Cover Data Governance in Audit Activities in the Next 12-18 Mo

107、nthsPercentage of Respondentsn=112Source:2023 Gartner Audit Key Priorities and Risks Survey38%Highly Confident4%Unconfident59%SomewhatConfident12%No ActivitiesCurrently Planned58%Definitely Will Be Coveredin Audit Activities30%Tentatively Will BeCovered in Audit ActivitiesRESTRICTED DISTRIBUTION20 2

108、022 Gartner,Inc.and/or its affiliates.All rights reserved.775503Data GovernanceUrgency DriversKey Risk Indicators Number of known AI capabilities embedded in the organization Number of product features deployed and in development that rely on AI capabilities Frequency of model performance monitoring

109、 Frequency of AI documentation updates Frequency of retention or purging or deletion actions among specified personally identifiable information(PII),compared to requirements Frequency of updates to data classification and use policies Number of approved exceptions to data and analytics policies Num

110、ber of employees who can access PII Frequency of authorized third-party access to PII Number of third parties recognized as high-risk with access to PIIAI GovernanceMost enterprises plan to deploy AI or machine learning(ML)for the first time by 1Q24,and a quarter have already done so.36As such,organ

111、izations have little time to improve their data governance before AI becomes embedded into business capabilities.Insufficient oversight of data used by AI can pose a wide variety of risks,including in the compliance,reputational and cyber domains.37Several high-profile incidents have demonstrated th

112、e real effects of“data poisoning,”or the malicious introduction of a bias into an AI model.38Privacy-related AI risk is another concern,with 41%of organizations having experienced an AI-related privacy breach,and over one in four from a malicious actor.39Regulators have taken notice of AIs privacy i

113、mplications.A draft proposal from the European Commission would empower regulators to order AI models retrained or deleted when systems pose a“high risk”to certain personal data.40Despite all of the challenges regarding AI governance,many organizations do not even realize their exposure to these ris

114、ks,given the increasing amount of AI that is embedded within third-party services.41Personal-Data-Related Regulatory Fragmentation Though the number of regulations over personal data governance,such as the General Data Protection Regulation(GDPR)in the EU and the California Consumer Privacy Act(CCPA

115、)in the U.S.,have been rising steadily for some time,2023 presents new-in-kind challenges for personal data compliance.The variety of new requirements,some with distinct regulatory intent,may pose a particular challenge.For example,while several data privacy laws will go into effect in the U.S.in 20

116、23,they treat the consent required to process personal data differently.42The U.S.laws also differ from the EUs GDPR in that the former require“opt-out”preferences,to sell personal information,and the latter requires“consent.”43Governments use of data localization requirements(to host data within a

117、country or region)is also increasing.As of 2022,75%of countries have implemented data localization rules,but these countries have disparate aims.44Some countries plan to protect privacy(e.g.,health information),but others plan to protect state security or domestic industries.45Personal data regulato

118、ry fragmentation along with the prospect of increasing privacy demands may prove a technical challenge to data governance strategies.RESTRICTED DISTRIBUTION21 2022 Gartner,Inc.and/or its affiliates.All rights reserved.775503Data GovernanceRecommendations for Audit Review Documentation for AI Project

119、s:Review documentation for all AI-related projects to determine how those projects might expose the organization to risks and potential controls and mitigations.Review AI Governance Priorities and Standards:Review how IT or others identify risks and create standards to allow AIs deployment that cont

120、rols or mitigates potential risks(including both guidelines and automated controls),and who provides oversight over the mitigations and controls implementation.Assess how IT or other risk managers identify the criticality of AI-related applications,data or other assets.Review AI Monitoring Practices

121、:Evaluate practices for monitoring AI and related data and analytics capabilities for signs of bias or malicious interference.Assess the Organizations Current Level of Data Privacy Regulation Compliance:Assess the organizations current progress in complying with applicable regulatory mandates and an

122、y gaps in current policies.Review how the organization identifies and tracks regulations on personally identifiable information(PII)use.Assess Data Access and Storage Policies:Review policies that govern data access and storage(i.e.,protection,retention and deletion)and determine who is responsible

123、for regular review,evaluation and updates to individual policies.RESTRICTED DISTRIBUTION22 2022 Gartner,Inc.and/or its affiliates.All rights reserved.775503Data GovernanceQuestions for Management How do you determine whether an AI capability is ready for deployment?How do you understand whether thir

124、d parties are using AI in the services they provide to the organization,and how is such AI vetted for compliance with organizational policies?How do you confirm whether AI capabilities under development or in deployment meet legal and compliance requirements?How do you monitor AI for anomalies or dr

125、ift after deployment?How do you ensure that the results of algorithms and AI that use personal data are explainable and transparent?What categories of AI-related risk controls does the organization recognize and which categories contain the biggest control gaps presently?How does the organization tr

126、ack regulatory developments concerning AI,PII and other data-and-analytics-related issues?How is employee training being updated to conform with new regulations concerning PII?What guidelines do you follow to identify and classify data retained as necessary for your business unit?What are the most i

127、mportant actions you take to monitor third parties access to sensitive or personal data?RESTRICTED DISTRIBUTION23 2022 Gartner,Inc.and/or its affiliates.All rights reserved.775503Confidence in Audits Ability to Provide Assurance Over Third and“Nth”Party Risk Percentage of Respondentsn=110Source:2023

128、 Gartner Audit Key Priorities and Risks SurveyNote:Totals might not sum to 100%due to rounding.Plans to Cover Third and“Nth”Parties in Audit Activities in the Next 12-18 MonthsPercentage of Respondentsn=112Source:2023 Gartner Audit Key Priorities and Risks SurveyNote:Totals might not sum to 100%due

129、to rounding.23%Highly Confident3%Unconfident75%SomewhatConfident12%No ActivitiesCurrently Planned52%Definitely Will Be Coveredin Audit Activities37%Tentatively Will BeCovered in Audit ActivitiesThird-Party Risk ManagementThird-party incidents,such as data breaches,compliance issues and supply chain

130、disruptions are increasing annually.46Eighty-two percent of organizations say third-party risk incidents disrupted operations at least once in the last 12 months.47As a result,83%of organizations reported increased organizational focus on third-party risk.48Yet,many organizations have poor third-par

131、ty risk visibility.For example,only 11%of organizations monitor supplier risks continuously,and only 48%understand the risk their Tier 1 suppliers face.49Forty-five percent of organizations say their third-party risk management(TPRM)programs are primarily focused on IT vendors,leaving a variety of p

132、artner relationships either unexamined or examined by siloed functions.50This limited visibility may be especially costly in 2023,when organizations third parties will likely face a challenging business environment and volatile markets.Organizations that fail to evolve their TPRM practices may expos

133、e themselves to a variety of risks that are not always examined in TPRM programs,such as regulatory fines,reputational damage and operational disruptions.RESTRICTED DISTRIBUTION24 2022 Gartner,Inc.and/or its affiliates.All rights reserved.775503Third-Party Risk ManagementUrgency DriversKey Risk Indi

134、cators Number of critical third parties Frequency of updates to third-party risk profiles Number of disruptions and failures involving or triggered by third parties Number of third-party disruptions,such as operational delays,regulatory fines and loss of critical data“Downstream”Scope 3 emissions(e.

135、g.,use of products,end-of-life processing of sold products)“Upstream”Scope 3 emissions(e.g.,preproduction supply chain emissions)Critical supplier days payable outstanding Critical supplier percentage of invoices paid on time Third-party current ratio;working capital ratio;acid test ratio Number and

136、 size of regulatory fines(e.g.,GDPR fines)per periodThird-Party Reputational RiskThe combination of new third-party reporting requirements and increasing financial or operational constraints could increase the risk of reputational damage from third parties in 2023.Due to inputs,staffing and other ec

137、onomic challenges,suppliers and others may reorient focus from supply chain ethics and ESG toward more acute problems.51This shift may increase incidents in an area over which organizations already have limited visibility.52Additionally,new reporting requirements will raise third-party reputational

138、risk exposure from supply chains.In 2022,Germany and Norway joined other countries in requiring reporting on ethical supply chain due diligence,while EU and Canadian officials have proposed similar measures.53Meanwhile,the U.S.proposed joining other countries in requiring reporting of Scope 3 emissi

139、ons(from“upstream or downstream”activity),while the U.K.and EU will enhance existing Scope 3 requirements.54Because consumers tend to hold the organization liable for third-party ethical lapses rather than the organizations suppliers or partners,more stringent reporting requirements and third partie

140、s potential shifting priorities increase reputational risk exposure.Third-Party ViabilityCurrent macroeconomic conditions raise concerns about third parties business continuity,including their financial viability.As a long period of low interest rates and low inflation gives way to ballooning costs

141、and volatility,investors are derisking portfolios,and banks are restricting credit.55Analysts forecast this movement,combined with dwindling government support,will raise business insolvencies by 14%in 2023.56Particular suppliers or partners may be especially vulnerable.In the U.S.,43%percent of sma

142、ll businesses(often critical providers to larger ones)say their own supply chain issues have worsened since the beginning of 2022,while 56%percent report deteriorating economic circumstances generally.57Some sectors,like retail in the U.S.,may see bankruptcy waves from pandemic-related realignment o

143、f spending habits.58Organizations in some regions may also be at greater risk,such as in those with less government support,like the U.K.,or high business debt-to-GDP ratios,like Japan and the eurozone.59Yet,36%of organizations do not regularly assess third-party business or financial risks,potentia

144、lly exposing organizations to disruptions,high costs of switching vendors,and product or operational issues.60RESTRICTED DISTRIBUTION25 2022 Gartner,Inc.and/or its affiliates.All rights reserved.775503Third-Party Risk ManagementRecommendations for Audit Review How(and Whether)Scope 3 Emissions are A

145、ssessed:Review materiality assessments or other ESG assessments to determine whether and how the organization assesses Scope 3 emissions.Review Ethical Supply Chain Compliance Tracking:Assess the organizations process for identifying and interpreting relevant ethical supply chain regulations in all

146、applicable jurisdictions,and determine whether the organizations ethical supply chain practices currently address their requirements.Assess the Extent of Continuous Monitoring of Key Third-Party Relationships:As initial due diligence does not ensure continuing third-party compliance with requirement

147、s,assess whether relevant functions monitor third-party behaviors and policies on an ongoing basis.Review the frequency of which risk profiles are reassessed and updated.Assess Third Parties Effects in Business Continuity Management:Assess whether third-party risk management is integrated into busin

148、ess continuity management approaches and plans.Review the third-party portfolio to ensure that when the organization relies on a single partner for services,it has a strategy in place for managing business interruptions should the third party be unable to deliver services.Assess Third-Party Contract

149、s:Evaluate the process for writing and approving contracts with third-party vendors and contractors,ensuring they adequately stipulate information security,data privacy and other requirements.Assess activities aimed at ensuring third-party adherence to contracts,particularly for critical or high-ris

150、k third parties.Assess Third-Party Access to Personally Identifiable Information:Assess the extent of third-party access to customers and employees personally identifiable information.RESTRICTED DISTRIBUTION26 2022 Gartner,Inc.and/or its affiliates.All rights reserved.775503Third-Party Risk Manageme

151、ntQuestions for Management How does the organization evaluate the criticality of its third parties?What monitoring and reporting activities are in place to understand changes in third-party risk exposure levels?Which functions most commonly lead third-party assessments?How is information from third-

152、party risk assessments shared and leveraged(beyond the function conducting the initial assessment)?How far down the third-party chain(e.g.,fourth,fifth)does the organization assess third-party risk?How often do you review third-party relationships to ensure compliance with policies and procedures?Ho

153、w does the organization track new compliance risks facing or caused by third parties?How do you use third parties internal audit findings,compliance reviews and misconduct records in your third-party risk assessments?Which third-party risks(e.g.,business,finance)does the organization track in its th

154、ird-party risk monitoring program?What are the top third-party-related issues identified by the ESG materiality assessment?RESTRICTED DISTRIBUTION27 2022 Gartner,Inc.and/or its affiliates.All rights reserved.775503AppendixRESTRICTED DISTRIBUTION28 2022 Gartner,Inc.and/or its affiliates.All rights re

155、served.775503EndnotesCyberthreats1.Check Point Research:Cyber Attacks Increased 50%Year Over Year,Check Point Software Technologies.2.2022 State of the Phish:An In-Depth Exploration of User Awareness,Vulnerability and Resilience,Proofpoint.3.Trellix Global Threat Research:In the Crosshairs:Organizat

156、ions and Nation-State Cyber Threats,Trellix.4.Russia Cyber Threat Overview and Advisories,U.S.Cybersecurity&Infrastructure Security Agency;Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure,U.S.Cybersecurity&Infrastructure Security Agency.5.Cybersecurity Legislation:Prepar

157、ing for Increased Reporting and Transparency,McKinsey&Company.6.Microsoft Digital Defense Report,Microsoft.7.North Korean Hackers Have Prolific Year as Their Unlaundered Cryptocurrency Holdings Reach All-time High,Chainalysis.8.Russia Cyber Threat Overview and Advisories,U.S.Cybersecurity&Infrastruc

158、ture Security Agency;Trellix Global Threat Research:In the Crosshairs:Organizations and Nation-State Cyber Threats,Trellix.9.Russia Cyber Threat Overview and Advisories,U.S.Cybersecurity&Infrastructure Security Agency;The Threat Report:Summer 2022,Trellix.10.FBI Director Wray Says Scale of Chinese S

159、pying in the U.S.“Blew me away”,NBC News.11.Trellix Global Threat Research:In the Crosshairs:Organizations and Nation-State Cyber Threats,Trellix.12.Russia Cyber Threat Overview and Advisories,U.S.Cybersecurity&Infrastructure Security Agency;Russian State-Sponsored and Criminal Cyber Threats to Crit

160、ical Infrastructure,U.S.Cybersecurity&Infrastructure Security Agency.13.Cybersecurity Legislation:Preparing for Increased Reporting and Transparency,McKinsey&Company;Cyber Incident Reporting for Critical Infrastructure Act of 2022(CIRCIA),U.S.Cybersecurity&Infrastructure Security Agency.14.New SEC C

161、ybersecurity Reporting Requirements:Three Things Companies Need To Do Now,Forbes;Fact Sheet:Public Company Cybersecurity:Proposed Rules,U.S.Securities and Exchange Commission.15.Critical Infrastructure Cyber Notification Obligations:When Do You Need to Comply?,Lexology;Report a Cyber Security Incide

162、nt,Australian Cyber Security Center.16.Letter From the U.K.Information Commissioners Office,U.K.Information Commissioners Office.17.Cybersecurity Legislation:Preparing for Increased Reporting and Transparency,McKinsey&Company.RESTRICTED DISTRIBUTION29 2022 Gartner,Inc.and/or its affiliates.All right

163、s reserved.775503EndnotesIT Governance18.2022 Gartner CIO and Technology Executive Survey.19.Gartner(2021).20.2022 SaaS Visibility and Impact Report,Torii.21.1Q22 Gartner Global Labor Market Survey.22.Gartner(2022).23.Gartner(2022).24.Perception vs.Reality:The State of SaaS Management,Cledara.25.The

164、 State of SaaS Management,Productiv.26.Gartner(2022).27.2Q22 Gartner Global Labor Market Survey;Gartner(2022).28.White Paper:Multicloud Annual Research Report 2022,Rackspace Technology.29.Gartner TalentNeuron.30.2Q22 Gartner Global Labor Market Survey.31.The Upskilling IT 2022 Report:Empowering Prof

165、essionals for the Jobs of Today and Tomorrow,DevOps Institute.Data Governance32.Tech Trends 2022,Deloitte.33.2022 Gartner CIO and Technology Executive Survey.34.Gartner(2022).35.Gartner(2022).36.2022 Gartner CIO and Technology Executive Survey.37.Gartner(2021).38.IBMs DeepLocker:The Artificial Intel

166、ligence Powered Sneaky New Breed of Malware,Packt;Malicious AI Isnt A Distant Reality Anymore,Forbes;How Data Poisoning Attacks Corrupt Machine Learning Models,CSO;Poisoned Robots:Data Poisoning Threatens AI-Powered Mechanisms,JDSUPRA.39.2021 Gartner AI in Organizations Survey.40.Europes AI Act Cont

167、ains Powers to Order AI Models Destroyed or Retrained,Says Legal Expert,TechCrunch;The European Union AI Act:Next Steps and Issues for Building International Cooperation in AI,Brookings.41.Gartner(2022).42.The State of U.S.State Privacy Laws:A Comparison,The National Law Review.43.From CCPA to CPRA:

168、What to Know About the California Privacy Law,Cimatri.44.Localization of Data Privacy Regulations Creates Competitive Opportunities,McKinsey&Company;Gartner(2022);The State of U.S.State Privacy Laws:A Comparison,The National Law Review;From CCPA to CPRA:What to Know About the California Privacy Law,

169、Cimatri.45.Localization of Data Privacy Regulations Creates Competitive Opportunities,McKinsey&Company;Gartner(2022);The State of U.S.State Privacy Laws:A Comparison,The National Law Review;From CCPA to CPRA:What to Know About the California Privacy Law,Cimatri.RESTRICTED DISTRIBUTION30 2022 Gartner

170、,Inc.and/or its affiliates.All rights reserved.775503Third-Party Risk Management46.The 2022 Prevalent Third-Party Risk Management Industry Study:TPRM Programs Are at a Crossroads,Prevalent.47.2022 Gartner ERM Client Survey on Third-Party Risk.48.The 2021 Prevalent Third-Party Risk Management Study:L

171、ooking Beneath the Cyber Risk Surface,Prevalent.49.Resilience 2022:Interos Annual Global Supply Chain Report,Interos.50.The 2022 Prevalent Third-Party Risk Management Industry Study:TPRM Programs Are at a Crossroads,Prevalent.51.PwC Digital Trends in Supply Chain Survey 2022,PwC.52.Resilience 2022:T

172、he Interos Global Supply Chain Report Focus:Financial Services Sector,Interos.53.EU Mandatory Human Rights and Environmental Due Diligence,Article One;European Union Releases Draft Mandatory Human Rights and Environmental Due Diligence Directive,Center for Strategic&International Studies;Bill S-211:

173、Impact on M&A Transactions,Norton Rose Fulbright;ESG Reporting Mandates to Know for Third-Party Risk Management,ProcessUnity;Germany:New Law Obligates Companies to Establish Due Diligence Procedures in Global Supply Chains to Safeguard Human Rights and the Environment,U.S.Library of Congress;Norways

174、 Transparency Act:What You Need to Know,Sedex.54.EU and U.K.Climate Disclosure Programmes:An Overview,Watershed;EU Nears Adoption of Expansive Corporate Sustainability Reporting Requirements,Sullivan&Cromwell.55.The Coming Credit Crunch,Bloomberg.(Paid subscription required.);Brutal Stock Selloff Is

175、 a Multitude of Bear Cases Coming True,Bloomberg.(Paid subscription required.)56.Global Insolvency Report:Growing Risks and Uneven State Report,Allianz Research.57.Survey:From Bad to Worse,Goldman Sachs.58.Survey:From Bad to Worse,Goldman Sachs.59.The Retail Industry Is Facing a Potential Wave of Ba

176、nkruptcies Heres Why,CNBC.60.Global Insolvency Report:Growing Risks and Uneven State Report,Allianz Research;The 2021 Prevalent Third-Party Risk Management Study:Looking Beneath the Cyber Risk Surface,Prevalent;Guarding Against Supplier Insolvency,GrowthBusiness.EndnotesRESTRICTED DISTRIBUTION31 202

177、2 Gartner,Inc.and/or its affiliates.All rights reserved.775503ResearchDevelop an Audit Strategic PlanPut your audit strategic plan on one page with this template.WebinarJoin a virtual eventHear the latest insights from Gartner Audit and Risk experts at an upcoming or on-demand event.Download Researc

178、hWatchWebinarActionable,objectiveinsightExplore these additional complimentary resources and tools for audit&risk leaders:Already a client?Get access to even more resources in your client portal.Log InRESTRICTED DISTRIBUTION32 2022 Gartner,Inc.and/or its affiliates.All rights reserved.775503Connect

179、With Us.Get actionable,objective insight to deliver on your most critical priorities.Our expert guidance and tools enable faster,smarter decisions and stronger performance.Contact us to become a client:U.S.:1855 8117593International:+44(0)3330 607 044Become a ClientLearn more about Gartner for Audit&Risk Leaders: connected to the latest insights