AuditBoard Live Webinar banner advert Diligent One Platform World tour ad April 2024 TeamMate ESG advertising banner 2023

News round-up: September 2023 A&R magazine Sep Oct 23

Economic uncertainty tops UK business risks

Economic uncertainty is now viewed as a “high” or “very high” risk by over half of all businesses in the UK and Ireland, according to a survey conducted by the Chartered IIA.

Boards should work alongside their internal audit functions to build resilience against a possible recession, it says.

The report,, provides guidance for internal audit functions and boards on navigating risks associated with an economic downturn. It examines lessons learned from previous economic shocks, the current response to economic uncertainty, and how internal audit can support the path to recovery.

While 56% of respondents said there was a high or very high risk to their organisations from economic uncertainty, 26% of respondents highlighted “financial capital, cash flow, and liquidity risk” as the single biggest risk area affected by economic volatility.

The survey found that 73% of internal auditors support or include a risk management framework assessment in their internal audit plan for 2023-24, however only 11% of internal audit functions support economic scenario planning in their organisation. This is alongside the 23% of internal auditors who engage in financial stress testing exercises carried out by their organisation.

Scenario models underestimate climate risk

A new paper by the Institute and Faculty of Actuaries (IFoA) and the University of Exeter claims that current climate scenario models used in the financial services sector “significantly” underestimate climate risk.

The paper, called “The Emperor’s New Climate Scenarios”, demonstrates how current techniques exclude many of the most severe impacts of climate change, such as tipping points and second-order impacts, causing the models to understate the level of risk.

The paper also found that carbon budgets may be smaller than anticipated and risks may develop more quickly. Regulatory scenarios introduce consistency, but also create a risk of “group think”, with scenario analysis outcomes being taken literally and out of context.

The paper calls for more realistic qualitative and quantitative climate scenarios, and says we need better model development to capture risk drivers, uncertainties and impacts.

Four key factors for AI oversight

Business consultancy Gartner has identified four critical factors to help internal auditors and other assurance providers develop artificial intelligence (AI) oversight that enables their organisations to move forward before final guidance is published.

It advises organisations to: ensure risk management is continuous; build governance that includes human oversight and accountability; guard against data privacy risks; and embed transparency in AI use.

Customers punish failure to act ethically

Businesses tempted to cut back on customer service or environmental and social commitments in an economic downturn may be punished by consumers, according to research by management consultancy Baringa.

In its survey, 79% of UK respondents said they are more likely to purchase from companies they consider “kind”. Only 6% said that the cost-of-living crisis would make them less likely to buy from a kind business because they would base purchasing decisions on price alone.

The researchers said that 80% of respondents would avoid buying from a company that had recently laid off large numbers of staff, with 40% saying they would do so even if this decision cost them more.

Similarly, 54% said they would accept higher costs to avoid firms that were known to have treated their staff poorly, and 53% said they would pay more to avoid firms that treated their suppliers badly.

FTSE boards lack diversity of expertise

Just 2.3% of executive board members (men and women) hold positions other than CEO, CFO or company secretary, and only 10% of executive board directors are women, according to a report by Women on Boards UK and consultancy Protiviti.

The research highlights deep concerns about the lack of skills and diversity of expertise among FTSE All-Share executive board members.

“The Hidden Talent” found that just 81 executive members out of almost 4,800 executive board seats hold positions other than CEO, CFO or company secretary. Furthermore, within this small group of individuals, the report found a further concentration of expertise. Most of these executives held positions focused on operational efficiency, with 68% either being chief operating officers or chief technology officers.

The rest included general counsel and chief information officers.

“The responsibilities of the board have continued to evolve over the past decade and yet the focus remains on traditional skill sets such as finance, operations and CEO experience,” said Fiona Hathorn, CEO and Co-Founder of Women on Boards. “Skills such as social responsibility, human resources or marketing show negligible presence in the boardroom. Companies must take a more holistic view and ensure an optimal mix of expertise to navigate the changing business landscape.”


New insider threats from AI access to shadow databases

Poor data controls and the advent of new generative AI tools based on Large Language Models (LLMs) will lead to a spike in insider data breaches over the coming year, according to a report by cyber security firm Imperva.

As LLM-powered chatbots have become more powerful, some organisations have banned staff from sharing data with them. However, 82% of organisations have no insider risk management strategy, so they are blind to instances of employees using generative AI to, for example, write code or fill out requests for proposals (RFPs), even when this involves giving unauthorised applications access to sensitive data.

Rather than relying on employees not to use unauthorised tools, businesses should focus on securing their data and ensuring they can answer key questions such as who is accessing it, how they are accessing it, and from where, the firm said.

It added that it is crucial for organisations to have visibility over every data repository in their environment so that important information stored in shadow databases is not being forgotten or abused. Organisations should classify every data asset according to type, sensitivity and value to the organisation and implement data monitoring and analytics capabilities that can detect threats such as anomalous behaviour, data exfiltration, privilege escalation or suspicious account creation.

Breaches rise as businesses store more data on cloud

Human error is the leading cause of data breaches in the cloud environment, which affected 39% of businesses last year (an increase on the 35% reported in 2022), according to aerospace and defence company Thales’ latest Cloud Security Study.

The year also saw a dramatic increase in the amount of sensitive data that is being stored in the cloud. Three-quarters of businesses said that more than
40% of data they store in the cloud is classified as sensitive, yet only a fifth of IT professionals reported that more than 60% of their sensitive data in the cloud is encrypted.

According to Thales’ findings, on average, only 45% of data stored in the cloud is currently encrypted.

Employee stress rises to record level

Employee stress levels have reached a record high, according to a report by Gallup. The State of the Global Workplace” warned that this is a long-term trend, not just a result of the pandemic – workforce stress has been rising for over a decade.

Many factors influence stress, but Gallup found that “managers play an outsized role in the stress workers feel on the job, which influences their daily stress overall”.

Nearly six in ten employees reported that they were “quiet quitting” and disengaging from their work and colleagues. Meanwhile, 51% of currently employed workers said they are watching for, or actively seeking, a new job. Most job seekers said they were looking for increased pay, but other important factors were improved wellbeing and opportunities to grow and develop.

Audit committee chairs call for practical ESG reporting guidance

The Financial Reporting Council (FRC), the UK’s corporate governance regulator, has found that, while audit committee chairs are interested in, and understand, ESG activities in their organisations, their involvement in decision-making processes is limited – particularly when it comes to environmental and social issues.

The FRC said that “their primary role lies in risk management, compliance, and ensuring effective reporting”. Some interviewees expressed concerns about the broad and evolving nature of ESG, which makes consistent measurement and reporting across sectors and markets challenging. They called for practical, sector-specific guidance to measure environmental and social activities and said they would welcome best-practice examples to ensure meaningful ESG reporting without excessive reporting requirements.

Chartered IIA celebrates 75th anniversary

This year marks the 75th anniversary of the foundation of the Chartered IIA, which was initially set up in 1948 as the London chapter of the Institute of Internal Auditors. As its reputation spread, new groups formed in Birmingham, the north-west, the north-east and in Scotland, and these merged in 1975 to form what later became the Chartered IIA.

The first issue of the Institute’s magazine was published in 1976. In the following 20 years, new groups of internal auditors were established in the Republic of Ireland and in Northern Ireland and, together, these became the IIA – UK and Ireland in 1999.

Around the same time, increasing awareness of the need for stronger professional corporate governance led to the Cadbury Report in 1992 and the Turnbull Report in 1999, as well as to the Smith guidance for audit committees of listed companies in 2003. These reinforced the need for professional internal auditors and the work they do. The Institute gained Chartered status in 2010.

Today, the Chartered IIA is part of a global community of 230,000 internal auditors in 190 countries and territories. In a letter congratulating the Chartered IIA of UK and Ireland on its 75th anniversary, Benito Ybarra, Global Chairman of the Board of IIA Global (2022-23), said that this is “a significant milestone that reflects the dedication and hard work of everyone involved in the organisation”. The Chartered IIA now becomes an IIA Diamond Affiliate of the Global Institute.


These articles were published in September 2023.