The Ultimate Guide to Audits in 2023 and Beyond

The state of audits in 2023

Despite gloomy economic predictions, 53% of survey respondents expect budgets to increase in 2023 and 39% expect staffing improvements. Still, more than half of respondents report having fewer resources than necessary to address risks within their organizations. This is the case for organizations that have recently increased resources as well. When increases are not enough to address risks, organizations must utilize technology to expand capacity and make the most of the resources that are available.

Gartner groups the risks audit teams must identify and mitigate this year into three themes:

Triple squeeze

If a recession does occur this year, it will be accompanied by high inflation, talent shortages, and supply chain constraints and will have an uneven impact across regions, industries, and even companies in the same industry. These pressures may trigger upward cost pressure for businesses, more supply chain disruptions, and labor shortages. Labor shortages will hit IT the hardest, due to trouble hiring and retaining IT talent.

Risks to expect include upward cost pressure, workforce management, IT governance, and supply chain stability. 82% of executives report they currently face upward price pressure for inputs. Half expect that pressure to continue through the first half of 2023. Contrary to typical expectations, the upward pressure is on product inputs, talent costs, and borrowing costs. Coupled with shifting tax codes, this will raise tax burdens. Organizations can get in front of these issues by sourcing IT talent, creating more geopolitically stable supply chains, and investing in relevant software solutions.

Renationalization

The days of comfortably relying on a global, just-in-time market are long gone. Covid-19 and the war in Ukraine have pushed multi-polarization and geopolitical assertiveness to the forefront.

92% of organizations either have faced or expect to face a state-sponsored cyber-attack. This threat has peaked regulators’ attention, driving new disclosure rules for the United States and the United Kingdom.

ESG opinions vary drastically from country to country, creating inconsistent reporting requirements and regulations.

This reverse globalization also impacts data governance. As business data becomes more centralized, countries across the world are implementing contradicting data regulations.

Resilience 

With extreme weather events, economic strife, and more global conflict on the horizon, businesses are better off owning their increased fragility than waiting for a “new normal”. Internal audits should spend 2023 building organizational resilience that can withstand whatever the future may hold, with very little warning.

Top risks in 2023

The risk landscape did not change significantly throughout the year 2022. No risks declined significantly, and only these few categories experienced minimal increases:

●     Business disruption

●     Environmental, social, and governance (ESG)

●     Attracting/retaining talent

●     Organizations’ use of advanced technology

●     Organizational culture

Organizations will battle disruptive events in 2023. Cyber and data security and talent shortages are the top risks organizations will face in 2023. Over 80% of survey respondents marked cyber/data security as a “very high” or “higher than average” vulnerability. Nearly 75% of respondents said the same about talent.

Macroeconomic volatility broadens the scope of disruptive events organizations must prepare for even further. Interest rates are still on the rise, inflation is raging, and global demand is unstable. More comprehensive audit planning is crucial to surviving whatever hurdles the economy produces this year.

Environmental, Social, and Governance

ESG is one of the fastest-growing risk categories surveyed in 2022. Two-thirds of respondents deemed ESG a top risk in 2023. Still, ESG risk gets a consistently divided response. 2022 experienced multiple warnings urging the world to accelerate climate change efforts, including those by the World Economic Forum. 

Increased climate degradation is pushing organizations to prepare for extreme weather events and the potential loss of critical infrastructure– a huge escalation from previous efforts to identify potential operational risks and craft a sustainability strategy.

Despite all of this, all three ESG components were ranked in the bottom half of 2023 risk areas by the same pool of survey respondents.

Kicking ESG to the bottom of the priority list is not an option in 2023. Better ESG risk management and reporting is a top priority for consumers, shareholders, and other stakeholders. The risk is increasing– auditors need to respond to the demand in 2023, lest they fall behind. The consequences of not doing so could mirror those experienced by auditors who avoided addressing cyber and data security risks.

Third-party reliance and workforce culture

Reliance on third-party risk management is also impacting organization fragility. While reliance on third-party ecosystems has not been crash tested against the degree of volatility organizations face this year. 

Culture has long since laid the foundation for an organization’s resilience. The new hybrid and remote working model introduces the risk of employee disconnectedness. Organizations that do not prioritize employee engagement this year, no matter the working model, risk losing their foundation.

The recession could trigger a shortage of resources, hiring freezes, and cutbacks for optional expenditures– in other words, audit departments could be heading for a trifecta of doom in 2023. Risks are growing more complex and CAEs already feel they lack the resources necessary to address them.

While it’s likely that internal auditors will encounter pressure to lower expenditures, maintaining adequate resources is crucial to surviving the impending recession.

Adopting new technologies that maximize current resources and improve efficiency throughout the audit department is the best way to remain resilient through the impending economic downturn.

Risk areas expected to increase by 2026

ESG risk expectations trend upward in the coming years, but not enough to align with the severity of environmental risk projected by the world economic forum.

The risk expectations for the use of advanced technologies are trending upward at a faster rate, due to the rapid pace at which businesses are integrating these technologies into operations.

Risk areas expected to decrease by 2026

Slight decreases are expected for cyber and data security risks, talent-related risks, and macroeconomic related risks. These survey results show that auditors feel the economy and labor market will level out within the next few years.

Risk/effort gap

One pressing issue to be aware of this year is the gap between risk level and planned audit effort. This gap is most noticeable in relation to:

●     The ability to attract and retain top talent

●     Macroeconomic factors and geopolitical uncertainties

●     Business model disruptions

While 77% of respondents listed the talent shortage as a critical risk, only 16% are addressing the risk with significant resources. Macroeconomic factors follow a similar trend, with 68% of respondents deeming the risk critical and only 13% addressing it with substantial resources. Business model disruptions due to the evolving digital risk landscape have the smallest gap, with 50% of respondents marking the risk as critical and only 20% making moves to address it.

45% of chief audit executives surveyed named inadequate resources in quantity and/or expertise as the primary reason for misalignment between risk and the level of effort. 20% of CAEs say that internal audit coverage falls short in high-risk areas because assurance is provided by a second-line function.

Steps must be taken to bridge the gaps between internal audit coverage and high risks. Organizations can achieve this through upskilling talent, developing strategic sourcing strategies, improving staff efficiency, creating agile processes, and implementing advanced technologies.

Risk monitoring recommendations

90% of respondents do not use independent efforts to gather data and analyze risks objectively, relying instead on other risk-related functions.

A continuous audit model monitors risks on a rolling basis, giving organizations the foresight necessary to adjust to rapidly changing conditions. Many internal audit teams are collaborating with business management and other risk-related functions within the organization.

While support from other functions within the organization is beneficial, internal auditors must complete assessments with objectivity, filtering ideas from those functions with adequate scrutiny. When the internal audit team lacks the talent and/or skills to analyze an issue, they should make efforts to upskill and/or request third-party support.

Key risk indicators enable efficient continuous monitoring. They are another underutilized risk monitoring strategy, utilized by only half of survey respondents.

Internal auditors also benefit from engaging with internal auditors from other organizations. This type of networking keeps auditors from operating in a vacuum, helping them understand and prepare for emerging risks. Internal auditors can help each other assess risk assessments and audit plans and fill any risk gaps. Industry reports from credible third parties can also help auditors identify new trends and risks.

According to the survey, less than half of internal auditors partake in the networking mentioned above.

Proactive risk-monitoring checklist

Ever since the beginning of 2020, businesses have faced one disaster after another. Relax now, and you may not survive whatever threats surface this year. Below is a proactive risk monitoring blueprint that can help your organization thrive in 2023:

1. Address your resource challenges now: You can’t recognize risk without resources. If you’re struggling to find adequate talent, now is the time to solve that problem. Effective risk management in 2023 requires talent, technology, and process. If you can’t get enough good talent, invest in technology to fill the gaps.
2. Prioritize ESG risk areas now: ESG risks are no longer the future– they’re the present. Expect dangerous weather events and new reporting regulations in the coming year.
3. Uphold the internal audit basics: When the organization leans on risk monitoring functions, revisit internal auditing basics and restate the value of the internal audit’s objective perspective.
4. Expand risk monitoring: Utilize upskilling and seek third-party resources when necessary. Utilize key risk indicators, engage with peers, and consume relevant content from credible sources to keep your finger on the pulse of potential risk within your industry.
5. Close effort gaps and avoid complacency: Old methods can’t fix new problems. Businesses are currently operating in a volatile environment. New risks need new solutions. Gaps between top risks and audit efforts must be closed to survive whatever 2023 throws our way. Fresh auditing technologies, perspectives, and methods are key to enduring unpredictable moments of disruption.

Threat-specific recommendations

Cyberthreats

●     Revisit cybersecurity program definitions, framework, and the quality of risk assessment, mitigation, and controls.

●     Review IT and information security's risk and threat discovery practices.

●     Examine how IT monitors applications, databases, networks, and other assets to detect unusual activities.

●     Prioritize assessing critical or sensitive assets.

●     Evaluate current incident response plans to ensure effective, timely escalation, coordination, and communication with relevant stakeholders.

●     Assess how roles and responsibilities are defined in relation to cyber incidents.

●     Evaluate the baseline for current cybersecurity reporting capabilities, including those for incidents and cyber defense posture

IT Governance

●     Implement technologies and procedures for monitoring the network for unauthorized software and interfacing between authorized and unauthorized software.

●     Review and update information security policies to ensure they prohibit unauthorized software use, provide effective employee training and awareness, and outline procedures for requesting new software.

●     Develop a written directive on SaaS ownership with governance rules and enforcement mechanisms.

●     Conduct assessments of IT and technical talent to identify skills and potential gaps.

●     Define core competencies and skills needed to meet security and IT objectives.

●     Monitor progress on workforce plans and IT talent risk mitigation strategies.

●     Keep plans up-to-date as business circumstances evolve.

Data governance

●     Review documentation for AI projects to identify risks and potential controls and mitigations.

●     Establish standards for AI deployment that mitigate identified risks.

●     Assign responsibility for oversight and implementation of controls.

●     Assess the criticality of AI-related applications, data, and assets.

●     Implement appropriate controls.

●     Evaluate practices for monitoring AI and related data for signs of bias or malicious interference.

●     Ensure compliance with applicable regulatory mandates.

●     Review and update policies that govern data access and storage.

●     Assign responsibility for regular review, evaluation, and updating.

●     Identify and track relevant regulations on the use of personally identifiable information (PII) and maintain compliance.

Third-party risk management

●     Review ESG assessments to determine how the organization assesses scope 3 emissions.

●     Assess the organization's process for identifying and interpreting ethical supply chain regulations in all applicable jurisdictions.

●     Determine whether the organization's ethical supply chain practices address these requirements.

●     Assess the extent of continuous monitoring of key third-party relationships.

●     Review the frequency of which risk profiles are reassessed and updated

●     Assess whether third-party risk management is integrated into a business continuity management plan

●     Review the third-party portfolio to ensure that there is a strategy for managing business interruptions if a single third party fails to deliver

●     Assess contracts, evaluating the process for writing and approving contracts with third-party vendors and contractors

●     Ensure that contracts adequately stipulate information security, data privacy, and other requirements

●     Assess activities ensuring third-party adherence to contracts, particularly for high-risk entities.New Paragraph

How audit technology can help you withstand a recession

To survive a recession, organizations need tools that can maximize the resources they do have. Digital audits streamline the efficiency and effectiveness of internal audit programs, allowing organizations to perform better-quality audits with fewer resources available. Here’s how:

Greater efficiency

Electronic audits allow businesses to process large volumes of data in a fraction of the time manual audits require. Data analytics tools identify irregularities with precision, ensuring audit results are accurate and comprehensive.

Advanced risk management

Sophisticated algorithms identify weak points in operations, automatically flagging malfunctions and risks with greater accuracy than traditional audits allow. Continuous auditing can be implemented so that risks are identified on a rolling basis. This auditing model safeguards the company against risk, promoting resilience in the process.

Credibility

Electronic audit results are more trustworthy, which makes them appear more credible to investors, regulatory bodies, government agencies, and even customers. This can go far in combating recession-related apprehension.

Cost-effectiveness

Electronic audits are less expensive than traditional audits. Organizations can maximize talent by allocating hours previously spent manually sifting through documents to more impactful activities.

Organizations can then save on labor while maximizing talent output, all without subtracting from internal audit effort and quality.

Security

Physical document storage is inconvenient and inaccessible. Electronic audits allow users to view data anywhere, anytime– so long as they have the necessary permissions.

Data is encrypted to allow secure transmission and storage of sensitive information. This protects audit data from breaches and unauthorized access.

Digital audit software also captures every time someone accesses a file. Organizations can use this to track actions back to a certain individual, time, and date if necessary.

If you haven’t made the switch to electronic audits, now is the time. Organizations face a unique set of risks this year– too little talent, too few resources, and a recession to boot. While it won’t make the recession go away, efficient, accurate auditing can help your organization brave whatever storms 2023 throws our way.

Ready to give electronic auditing a try? Give Forms on Fire a try for 14 days, no credit card required.