IT Security

43% of Audit Executives Rank Cybersecurity Controls as 2023’s Lead Risk

Auditors also see challenges in ESG implementation, business transformation, and attracting talent.
43% of Audit Executives Rank Cybersecurity Controls as 2023’s Lead Risk
Photo: Colin Anderson Productions pty ltd

As company financial performance is becoming increasingly scrutinized going into the new year, recent data from Jefferson Wells reveals the expected auditing and controls hurdles corporate finance teams face. As risk management, data integrity, and unpredictable markets are impacting the decisions of most companies at the moment, auditors are preparing themselves for a significant workload over the next twelve months. 

Communication Is Cybersecurity’s Remedy 

Data privacy and cybersecurity was ranked as the top audit concern for the second year in a row. Tim Lietz, national practice leader of risk and compliance at Jefferson Wells, believes collaboration within the C-suite is the best remedy for issues surrounding cybersecurity.

Lietz insists that it’s not just the communication, but the consistency of communication, in order to put forth the best effort in data security. 

“From my internal audit/internal control standpoint, I would always advise CFOs to work closely with their chief information officer, chief information security officer, chief audit executive, compliance officer (if applicable), and general counsel throughout the year to make sure growing cybersecurity challenges are properly assessed, addressed, controlled and exposure minimized,” Lietz told CFO.

The survey found employers are using communication not only laterally, but vertically, in order to fight ongoing cybersecurity threats. Executives reported independently assessing areas in training like password policies (54%), data loss prevention (46%), internal threats and vulnerabilities (43%), and malware detection (43%).

“It takes clear communication between all these individuals to make sure cybersecurity efforts are highly prioritized and adequately funded through budget allocation each fiscal year,” Lietz said when asked about the CFO’s impact on cybersecurity issues. 

But executives appear to be underprepared or are falling behind in their cybersecurity efforts. Nearly one-third (32%) of respondents said they do not have cybersecurity as an integral part of their technology risk assessment. Forty-four percent said they do not include threat and vulnerability management. More than half of respondents said they don’t offer either identity and access management (51%) or ransomware protection (59%).

Tim Lietz JPEG.jpg

  Tim Lietz

Challenges in the Workforce 

Audit executives reported their people-based challenges stem from a workforce that is more than half remote (53%). While more than three-quarters (78%) of audit executives worked with their teams in some type of hybrid environment, employee retainment remains difficult. IT audits (60%), data analytics (51%), and cybersecurity (42%) are the top three places in which employee retention is most difficult. Due to this, more than half (53%) of respondents said they rely on outsourced help for IT audit expertise. 

“I found it very interesting that internal audit departments were so heavily impacted this year by being short-staffed,” Lietz said. “The red hot job market continues to force chief audit executives to complete their annual audit plan with fewer resources than in years past.”

A need for quality labor in these areas appears to be overriding looming economic woes. Only 3% said they plan on reducing their labor force, while more than half (59%) plan on making no changes to headcounts. Over one-third of respondents (34%) said they plan on increasing their workforce. 

Operational Impact of Internal Audits 

With digitalization, new tech, ESG, and regulatory compliance mixed in with labor issues, internal auditors have their hands full. In a mix of new responsibilities and workflows, 40% of audit departments are in the process of assessing new technologies and applications, data shows. 

Alongside a reported 10% increase year-over-year in contract compliance audits, internal auditors appear to be spending more time on the job. Not only are a third (33%) of audit departments working on new construction projects, but surveyors also reported a 9% increase overall in time spent on divestitures and reorganizations. 

“CFOs would gain significant insights from seeing what the top internal audit priorities are heading into 2023 as well as learning what is top of mind for audit committees as well,” said Lietz. “This info helps CFOs adequately [prepare] for upcoming audit committee meetings regarding focal points that both internal audit leaders have as well as what their audit committee chair is concerned about heading into a new year.”

Auditors Have a Key Role in ESG

Nearly a third (31%) of respondents said ESG was a top area of concern. While the most frequent role of auditors in ESG was in risk advice (48%), validating the effectiveness of ESG activities and integration of ESG risk assessments into broader risk assessments and audits trailed closely behind at 47% and 43%, respectively. 

71% of audit executives plan on adding an ESG assessment into their audit plans down the line. As surveyors found confidence in CFOs surrounding ESG preparations in their previous CFO survey, financial executives’ confidence seems to be trickling in preparation efforts by their audit teams. 

“I was also pleasantly surprised to see how involved internal Audit Departments are with ESG efforts within their organizations,” said Lietz.  [Nearly three quarters] of auditing teams plan to cover ESG is some fashion within their 2023 Audit Plan.”