Cyberthreats and IT governance are among the top concerns of auditors in 2023, said Gartner recently when releasing the Gartner 2023 Audit Plan Hot Spots Report.
The report is based on results of a survey of 112 chief audit executives (CAEs) completed in August 2022 and additional structured interviews with CAEs and IT Audit leaders, as well as data and insights generated from cross-functional Gartner research throughout 2022, the advisory firm noted.
While cyberthreats remain a perennial concern for CAEs, the drivers of this risk have evolved as a result of new geopolitical conflicts and the heightened prospect of state-sponsored attacks, said Leslee McKnight, vice president for the Gartner Legal, Risk and Compliance practice.
“Mitigation plans need to be revisited to reflect the evolution of the risk and prepare the organisation to meet increasingly stringent disclosure requirements in the event of a breach,” she advised.
Adjacent hot spots, such as ensuring adequate IT governance and third-party risk management, contribute to a challenging outlook for mitigating the full array of potential cyberthreats facing organisations in 2023, Gartner pointed out.
While most CAEs indicated they planned to address cybersecurity in their plans next year, only 42% of survey respondents expressed a high level of confidence in their ability to provide adequate assurance in this area, the research firm said.
According to Gartner, the top concerns of auditors are as follows:
• IT governance
• Data governance
• Third-party risk management
• Organisational resilience
• Supply chain
• Macroeconomic volatility
• Workforce management
• Cost pressures
• Climate degradation
Three key themes drove the risks this year including a “renationalisation of resources” and a “triple squeeze” of growing cost pressures, supply chain risks and labor scarcity, Gartner pointed out.
The final theme, the need to “rethink organisational resilience,” is unique as its own distinct risk area and a driver of a multitude of other risks, the firm added.
The ability to withstand crises and disruptions may become more critical next year, but many organisations still take a limited view of resilience, mostly focused on business continuity and IT disaster recovery, Gartner observed.
This narrow view of resilience fails to account for additional risks impacting resilience including greatly increased economic volatility and impacts from climate degradation, the firm warned.
“Rethinking resilience is a key theme that underlies a diverse set of risks facing organisations in 2023, including economic volatility, climate degradation and third-party risk management,” said McKnight.
Currently less than one-third of audit leaders are highly confident in their team’s ability to provide assurance over organisational resilience risk, and more concerning, less than half plan to cover organisational resilience in audit activities in the coming year, she noted.
The increasingly interconnected risk landscape increases the chances for cascading risks, where one risk causes additional risks to manifest for an organisation, a scenario that few organisations are actively planning against today, she added.