In 2016, IFACI, IIA Italy and IIA Spain published ‘Hot Topics for Internal Audit 2017’. This year, a wider group of European Institutes of Internal Auditors have taken a more ambitious approach, interviewing Chief Audit Executives (CAEs) from major organisations in six European countries – France, Italy, the Netherlands, Spain, Switzerland and the UK – to home in on key themes requiring the attention of internal audit to mitigate risk and protect and add value in their organisations.
These hot topics were identified through in-depth, qualitative interviews with CAEs across a diverse range of critically important sectors – construction/infrastructure, financial services, IT, manufacturing, public sector, retail/ consumer, telecoms and utilities/energy – and from organisations that truly lead these industries. To put this into perspective, these organisations have an aggregate market capitalisation in excess of €724bn, revenues of over €441bn, employ more than 1.86 million staff and are present in no less than 173 countries. In the financial services sector alone, the CAEs represent internal audit functions in firms collectively worth €325bn and turning over upwards of €207bn.
We are truly grateful to those who participated in our research. Their knowledge and insights provide an invaluable snapshot of the thinking of leading internal audit professionals across Europe.
The Hot Topics included in this report reflect risk areas that are being prioritised by CAEs as they prepare their audit plans for 2018 and make longer-term risk assessments. For some readers, these themes will already be fully reflected in their audit plans for the coming year. They may want to use our research to highlight to their audit committees that they are indeed on the right track. For others, this report may serve as a timely reminder as they finalise their plans for 2018 and beyond of issues that merit serious reflection. And for all, we hope that our publication will provide a fresh and relevant talking point, both for internal audit professionals and for audit committees and other stakeholders.
Risks are not static and even the most fixed audit plans are subject to change as new risks emerge at the operational, strategic and wider environmental level. What constitutes a potential threat to one organisation may be deemed inconsequential by another. The most commonly identified risk area amongst CAEs of all nationalities and sectors is cyber security. This is no surprise given the scale of the threat and the extent to which all organisations have come to depend on technology. This is followed by the EU’s General Data Protection Regulation and the broader challenge of managing data, with the pace of innovation businesses face the third most widely cited risk concern.
There are some observable differences in the priorities of CAEs in different sectors and, to a lesser extent, countries. From the sample we selected, it was found that political uncertainty was cited far more frequently by CAEs of organisations based in the UK, prompted by the prospect of Brexit and the potential impacts this may have as negotiations get under way. Spanish CAEs too cited political uncertainty as an area that could expose their organisations to emerging risks but also opportunities. This is the result of multinationals from the country having expanded into Mexico and the implications of the Trump administration’s hostile position towards the country.
The financial services cohort were more concerned by regulatory complexity than any other sector. This is due to the passing of recent regulations and the impending introduction of new rules across the European Union. Notably, for CAEs at institutions in France, Italy, the Netherlands and Spain there is an added dimension in the expectations of the European Central Bank under the Single Supervisory Mechanism that came into play three years ago and which continues to develop.
The defining theme of this report, however, is the fundamental impact that technology has in shaping, enabling and disrupting organisations’ operations and strategies – a pressure that requires internal auditors to learn new skills and adopt innovative tools to bolster their capabilities in an increasingly digital world. We hope you enjoy this report and we welcome your feedback and engagement.Download PDF