CAE Bulletin Issue: November 18, 2024

Cybersecurity Remains the Hottest Topic for 2025 in Deloitte UK Internal Audit Study

Digital transformation and IT change ranks 2nd, followed by tech strategy and governance.

Technological advancements continue to expand the scope and complexity of the internal auditor’s job. That means audit teams must embrace the changes while focusing on “hygiene” factors, fundamental risks, and principles.

Those were among the assertions of a recent study out of the UK by accounting and auditing firm Deloitte. The 14^th annual study on hot topics for technology and digital risk determined that cybersecurity remains the top concern because of an increasing reliance on digital systems and the constantly evolving threat of cyberattacks. This is the 11^th consecutive year it has appeared at the top of the list, chosen by respondents who included heads of internal audit, heads of information technology (IT), and other business leaders across all sectors.

Digital transformation and IT change appears second on the list for the third year in a row. In a new appearance in the top three since a decade ago, technology strategy and governance was cited as third. “A strong IT governance framework is crucial for navigating today’s risk landscape, yet many organizations struggle with implementation and lack leadership buy-in,” an announcement of the report reads. “This disconnect hinders strategic decision-making and creates unnecessary risk.”

Rounding out the top 10 hot topics were: artificial intelligence including GenAI; data; resilience; identity and access management; cloud; third-party risk management; and emerging technology trends. The study looked at the differences in responses between those in financial services and those in other sectors. Financial services organizations placed a higher emphasis on GenAI, indicating a potential for accelerated adoption and exploration of this transformative technology within that sector. “This suggests a proactive approach to leveraging GenAI for competitive advantage in areas such as fraud detection, customer service, and risk management,” the study reads.

Audit Partners Worry About Potential Recession, Inflation, Geopolitical Instability

But the Center for Audit Quality survey shows most are neutral or positive on economic outlook.

Looking ahead to 2025, external audit partners and the companies they audit have named their top concerns as a potential recession, ongoing inflation, and geopolitical instability. Despite the risks, their outlook for the U.S. economy for the next 12 months is trending neutral, cited by 50%, compared to 39% who said they are optimistic or very optimistic and 10% who said they were pessimistic.

The Center for Audit Quality’s most recent Audit Partner Pulse survey, released on Oct. 30 before the general election, provides independent and objective perspectives on a range of topics, including economic risks and business transformation, according to a press release. The majority of auditors responding to the survey said they believe inflation will continue to impact businesses in their primary industry sector for more than 12 months, cited by 52%.

Among other findings:

• The breakdown of the largest economic risks facing companies in respondents’ primary industry sector over the next 12 months were recession (25%), regulations (21%), geopolitical instability (18%), cybersecurity threats (12%), rising interest rates (11%), supply shortage and supply chain disruptions (6%), and labor shortages (4%).
• In looking at the top trends in human capital, or HR, about 28% of respondents said companies in their primary sector are upskilling employees. About 25% are reducing headcount capacity and 21% are decreasing flexibility in workplace location. Only 10% are increasing compensation, 7% are increasing flexibility in workplace location, and 5% are expanding employee benefits.
• When asked how companies in their primary industry sector have used AI technologies, respondents cited these top answers: process automation (24%), customer experience, service, and support (20%), predictive analysis (13%), targeting marketing (11%), and content creation (8%).
• An overwhelming number of respondents (78%) said companies in their industry do not have exposure to cryptocurrency. Only 2% said cryptocurrency is an accepted form of payment.

Honest-Humility Could Be Key Personality Trait for Effective Auditors

New study out of Carnegie-Mellon and University of Denver used HEXACO model.

In light of recent high-profile accounting scandals, a recent study examined how two personality traits influence an external auditor’s likelihood to report financial misstatements. The traits were honesty-humility and agreeableness.

Researchers at the Tepper School of Business at Carnegie Mellon University and the University of Denver found that auditors with higher honest-humility scores “were more likely to prioritize professional integrity and report financial infractions, while those with lower scores did not,” according to an article in Phys.org by British news source Science X. The findings were published in the Negotiation and Conflict Research journal by the Carnegie Mellon University Library Publishing Service.

Agreeableness, which can be associated with conflict avoidance and a desire for social harmony, did not reliably affect auditor reporting behavior, the research showed. That suggests this trait might not be as crucial for ensuring audit quality, the article said.

“Personality traits can play a key role in identifying individuals who will communicate disagreement with clients and effectively uphold financial reporting standards,” said study co-author Taya Cohen, professor of organizational behavior and business ethics at Carnegie Mellon. "Our findings show that screening auditors for honesty-humility could enhance monitoring quality and help prevent costly oversight failures."

For the study, researchers used the HEXACO model of personality, which identifies six dimensions: honesty-humility, emotionality, extraversion, agreeableness, conscientiousness, and openness. The honesty-humility trait, characterized by fairness and modesty, was found to be the only one to consistently predict better monitoring quality.

“Organizations should consider hiring auditors who display high levels of honesty-humility and provide interventions for those who could benefit from developing behaviors characteristic of this trait,” said Lily Morse, assistant professor of management at the University of Denver's Daniels College of Business, who led the study. Morse received her Ph.D. at the Tepper School of Business.

C-Suite Leaders Should Consider Their Role in Creating US Guardrails for Use of AI

Public-private, bipartisan collaboration can help businesses continue on path to innovation.

While the business world waits for a policy that sets guardrails to guide the safe and effective deployment of artificial intelligence (AI), C-suite leaders should take a proactive stance. Although AI presents risks ranging from bias and inaccuracy to misuse and weaponization, it also offers opportunities to innovate and excel.

“CEOs should not sit idly awaiting this development in Washington,” a recent article in Chief Executive said. “Instead, they should actively work with lawmakers and other officials to help establish such a structure. After all, the goals of leading in AI innovation and ensuring AI’s safety and security are not in opposition; they are complements.”

The article gives an update on current laws and regulations. The Artificial Intelligence Act in Europe and several pieces of proposed legislation in individual states are leading the way but leaving businesses facing a patchwork of compliance requirements rather than a single uniform standard.

The article offers advice on how corporate leaders and policymakers should approach a broader AI framework in the U.S. The guardrails should address nine critical areas:

1. The U.S. should aim to lead in AI. 
2. Promote innovation.
3. Prioritize transparency. 
4. Apply a risk-based approach.
5. Protect data privacy.
6. Clarify AI intellectual property rights and liability.
7. Collaborate with international allies.
8. Mitigate environmental impact.
9. Invest in workforce and literacy.

Public-private collaboration and bipartisan efforts will lead to a clear and strategic U.S. framework to understand AI and address its implications, the article said. The goal is to make the transition that ensures AI is safe for users, clearly defined for businesses, and supportive of innovation.

AI Is Changing the Game, and Internal Audit Must Adapt to Proactive Strategies

The technology provides opportunities for innovation but also tools for added risk.

Global organizations are increasingly focusing on the overlaps and integration of artificial intelligence (AI), IT security, and internal audit. This calls for organizations to modify their internal audit strategies to manage risk or capitalize on the emerging opportunity landscape.

A recent Wolters Kluwer article uses a chess board analogy to explain what is happening in this space and examines how AI is changing the game. On one hand, AI creates a new set of tools that enhance an organization’s ability to detect and address a wide variety of threats associated with emerging technologies. On the other hand, it also provides tools for adversaries to enhance their ability to disrupt or attack.

To address this, the internal audit function needs to shift from a reactive to a proactive approach, the article says. Internal auditors should leverage AI for predictive analytics and also for developing and fostering comprehensive risk assessments. Auditors must become more experienced and proficient with AI in these key focus areas:

• Understanding AI technologies and their applications in cybersecurity.
• Data analytics and machine learning fundamentals.
• Ethical considerations and governance frameworks required in implementing AI.
• Risk assessment methodologies for AI-powered systems.

By mastering those skills or at least developing a foundational understanding of them, internal auditors can position themselves as strategic partners in the growing field of AI risk management and mitigation. This will ensure their organizations remain resilient in the face of emerging threats.

The article offers best practices for integrating internal audit with IT security to mitigate AI risk. Those include everything from risk assessment to continuous monitoring and auditing, and from skills development to third-party management.

‘Green Skills Gap’ in the Boardroom Leaves Many Organizations Vulnerable

These 3 steps can help directors more effectively guide sustainability strategy.

In the past decade, organizations have come to realize that the rapidly evolving landscape around sustainability compliance and reporting requires additional skills from leaders and board members. Those who are falling behind are feeling the pressure, leaving a “green skills gap” in some boardrooms.

“Businesses are working hard to skill up their workforces through training and recruitment, but these efforts seem to stop at the boardroom door,” according to a recent Reuters article. A study earlier this year by Competent Boards in collaboration with the Copenhagen Business School revealed that only about 2% of Fortune 500 boards in the U.S. and Europe have strong enough competency to guide their organizations in sustainability risk and strategy.

“So why do many boards fail to prioritize sustainability education? For some, the long-term nature of climate risk doesn’t seem as pressing as other immediate business concerns,” the article reads. “Others feel overwhelmed by the technical complexity of sustainability issues or believe their current strategies are sufficient to meet future challenges.

The pressure to close the skills gap is intensifying because of regulatory changes, consumer preferences, and other factors, the article said. There are three steps to closing the skills gap:

• Provide education for board members. Directors need the tools and insights to grasp the implications of climate and nature risks, understand relevant metrics, and embrace sustainable business practices. The sustainability landscape is constantly evolving, and a culture of continuous learning is critical to keeping boards informed and well-equipped.
• Prioritize recruiting directors with expertise in sustainability fields. These include environmental science, climate policy, and corporate sustainability.
• Foster direct engagement with key stakeholders to understand evolving expectations. Active dialogue among investors, employees, and customers informs boards about trends and strategies.

AICPA and NC State Report Shows Enterprise Risk Management Is Undervalued

Organizations are focusing on other priorities while the nature of threats keeps evolving.

Audit executives and their teams are seeing organizational risks increase in volume and complexity, but risk oversight processes are lacking in robustness and maturity, according to a recent study. Enterprise risk management (ERM) is taking a back seat while organizations focus on other priorities, leaving themselves open to unexpected negative events.

The 2024 Global State of Risk Oversight: Managing the Rapidly Evolving Risk Landscape is the latest report from the Association of International Certified Professional Accountants (AICPA). It was issued at the end of October in partnership with North Carolina State University’s Enterprise Risk Management Initiative and surveyed respondents in accounting, finance, management, and other leadership role in four regions: the U.S.; Europe and the UK; Asia and Australasia; and Africa and the Middle East.

About 66% of respondents said they sense the volume and complexities of risk increasing, but only 32% describe their organization’s risk oversight practices as “mature” or “robust,” according to an NC State article. Additionally, 17% said executives do not see the benefits of ERM exceeding the costs, or they feel there are too many needs more pressing than ERM.

Among other findings:

• About 47% of respondents globally said their organizations are appointing a single individual, such as a chief risk officer, to lead the risk management function. However, 64% are more likely to have a management-level risk committee in place.
• In all regions, a low number of respondents said their organizations are mature or robust in risk oversight: Europe 38%; Africa and the Middle East 32%; U.S. 30%; and Asia and Australasia 25%.

“Globally, effective enterprise-wide risk management should be one of the organization’s most important strategic tools,” said Mark Beasley, an Alan T. Dickson Distinguished Professor of Accounting and director of the ERM Initiative at NC State. “Unfortunately, many organizations view risk management as a distraction from more important strategic tasks. Risk management will not become easier over time. Given the rapid speed of change in the global business environment, complex risk issues will continue to emerge at a rapid-fire pace. Now is the time for many organizations to give their approach to risk governance an honest assessment.”

Employee Burnout Is on the Rise, According to Grant Thornton Study in the US

CAEs will have to deal with emotional stress of employees to retain their top talent.

Audit executives are looking for ways to recruit and retain team members who will be able to take the profession into the next phase of development. A new survey out of audit and assurance firm Grant Thornton sheds insight into one aspect they will have to consider: employee burnout.

The firm’s 2024 State of Work in America study, which surveyed 1,500 professionals, shows 51% of respondents report they have suffered on-the-job burnout in the past year — a number that is up 15% over the 2023 survey. About 34% said they had not experienced burnout, and 14% were neutral or unsure.

When asked what contributed to burnout at their jobs, 63% of respondents cited mental and emotional stress — up from 53% last year. Other contributors were long hours (54%, compared with 42% in 2023), shortage of workers (52%, up from 41%), work/life balance (38%, up from 28%), and inefficient processes and systems (33%, up from 30%).

Among other findings:

• External factors such as increasing global conflicts, post-pandemic inflation, and a particularly stressful political environment can all cause stress for employees, who bring their worries into the workplace. The isolating nature of these outside stressors can be especially troubling from an employer standpoint, the study said.
• People shortages present the most stressful factor at work, according to 40% of respondents. Among other major stressors: poor communication, 34%; unrealistic expectations, 29%; length of the workday or work week, 26%; organizational changes, 23%, work/life balance, 20%; the employee’s manager, 17%; and the commute, 14%.
• When asked what attracted them to their jobs, respondents cited the same factors as last year, but the increased interest in compensation factors was notable. The top answer was benefits (cited by 48%, compared with 39% in 2023), followed by base pay (45% this year, up from 36%), advancement opportunities (29%, up from 24%), and job security (25%, up from 23%).