AuditBoard Live Webinar banner advert Diligent One Platform World tour ad April 2024 TeamMate ESG advertising banner 2023

Cybersecurity tops risk list for audit chiefs

New research reveals top ten organisational risks for 2019

Today marks the release of new research findings based on the responses of over 300 chief internal auditors working in organisations across Europe. The research reveals the top risks facing organisations across the private and public sectors in 2019 with cybersecurity commanding the number one spot.

Cybersecurity is now such a big concern for chief internal auditors, that a clear two-thirds (66%) majority of all the respondents that took part said it is now one of the top five risks their organisation faces. Internal audit advises the board on the effectiveness of an organisation’s management of risk.

The research is published in the latest annual risk report ‘Risk in Focus’ produced by seven European institutes of internal auditors, covering eight EU countries. The report highlights the top risks that should be high on organisational agendas in 2019 and further into the future.

The top risks facing organisations, identified by chief internal auditors, are as follows:

  1. Cybersecurity: 66%
  2. Compliance: 58%
  3. Data security & protection: 58%
  4. HR & people risk: 42%
  5. Regulatory change: 37%
  6. Digitalisation: 36%
  7. Innovation: 28%
  8. Culture: 25%
  9. Outsourcing & third party: 24%
  10. Political uncertainty: 23%

Dr Ian Peters MBE, Chief Executive of the Chartered Institute of Internal Auditors said: “It is not surprising that organisations are most concerned with cybersecurity, compliance and data protection in a post-GDPR world.”

“Cybersecurity has been a high-priority risk for a number of years and this shows no signs of abating. However, companies are pushing to move away from legacy systems and, as approaches to managing cyber risk mature, attention is turning to third-party defensibility.

“High-profile cyberattacks such as Petya and WannaCry are becoming more and more prevalent and this means that organisations are only as strong as the weakest link in their IT supply chain.” Dr Peters said.

A major obstacle to mitigating cyber risk is the piecemeal approach organisations have taken to their IT infrastructure planning and development over past decades. Poor governance and oversight of IT functions has meant businesses have gradually built siloed systems and bolted on parts of their network over a period when cyber risk was low.

It is important now that organisations turn to looking at outsourced or third party supply chains to ensure that they are not vulnerable to cyberattacks.

The full report can be found at


Notes to editors:

The Chartered IIA is the only professional body dedicated exclusively to training, supporting and representing internal auditors in the UK and Ireland.

First established in 1948, we obtained our Royal Charter in 2010. We have 10,000 members in all sectors of the economy. Over 2,000 members are Chartered Internal Auditors and have earned the designation CMIIA. About 1,000 of our members hold the position of head of internal audit and the majority of FTSE 100 companies are represented among our membership.

Members are part of a global network of 180,000 members in 170 countries, all working to the same International Standards and Code of Ethics.


In the first half of 2018, seven institutes of internal auditors from France, Germany, Italy, the Netherlands, Spain, Sweden and the UK and Ireland distributed a quantitative survey to Chief Audit Executives (CAEs). The survey received a total of 311 responses from CAEs in all territories and across a broad cross-section of industries.

Respondents were asked to score the biggest risks their organisations face from 5 - 1, with 5 being the top risk and 1 being the fifth biggest risk. This gave a picture of risk priorities in two ways:

First, it showed which risk areas are considered to be one of the top five biggest risks to the organisation, i.e. which risk areas scored at least one point from respondents (regardless of whether it was 5 -1), as illustrated by graph 1. Cybersecurity came out on top, with 66% of CAEs saying it is one of their top five risks.

Second, it showed which risk areas are considered to be the single biggest risks the organisation faces, i.e. those risks that received 5 points from respondents, as illustrated by graph 2. Cybersecurity once again led these results, with 15% of CAEs saying it is their single top risk.

For the first time this year, to supplement the interview process, a survey that received more than 300 responses was distributed. This quantitative research augmented the overall report by providing data on the biggest risks that CAEs believe their organisations face.