While generative AI is gaining substantial ground as a leading risk tracked by internal auditors, cybersecurity is still the one that attracts the largest share of their attention.
A new snapshot of the internal audit profession, based on a survey of 257 practitioners by professional services firm Jefferson Wells, reveals that 41% of the respondents cited cybersecurity as a leading risk.
Generative AI was next at 35%, followed by business transformation/digitization (27%) and economic uncertainty (26%).
The trend lines for cybersecurity and generative AI appear headed toward an intersection. In Jefferson Wells’ 2023 internal auditor survey, the former was a top concern for 45% while generative AI was only at 17%. Both present challenges with respect to skills development and employee retention, Jefferson Wells noted in its survey report.
The survey also asked participants about their views on what boards’ audit committees prioritize, and the results were directionally similar: 52% named cybersecurity as a leading concern for audit committees (up from 47% two years ago), while generative AI rose from 19% to 39% during the time frame, leapfrogging strategic risk and business transformation on the list of concerns.
A vast majority (89%) of the surveyed audit professionals said their company’s audit plan includes a cybersecurity audit, while 67% include a generative AI assessment.
“The digital decentralization of technology and interdependence within supply chains will continue to pose cybersecurity challenges,” Jefferson Wells opined.
And with technology continually advancing, the challenges associated with cybersecurity are becoming more complex, according to the report. Not only do half of audit leaders agree that developing and retaining cybersecurity skills is difficult, only 37% of auditors said they’re seeing an ROI from investment in tools available for cybersecurity audits.
Drilling down into companies’ responses to cybersecurity threats, more than half have reviewed their attack response (56%), addressed associated risks of data storage security (54%) and evaluated security training (53%) within the last 18 months.
On the other hand, a worrisome 14% have not addressed ransomware in their audit plan, and 11% have not independently assessed information security.
The most frequently evaluated areas of information security are password policies (performed by 56% of audit leaders), along with internal and external attack and penetration assessments (46% and 51%, respectively).
With respect to generative AI, 59% of internal audit departments that have increased their headcount said they are doing so because of increased audits into the use of generative AI alone.
Asked about how generative AI will impact internal audit activities over the next year, 48% of those surveyed said they expect significant or transformational challenges, while 22% said they anticipate marginal improvement.
