For more than a decade, I’ve embraced year-end as an opportunity to reflect on the significant events from the previous year impacting internal audit via the headlines that influenced our focus. Reflected in 2023’s headlines is a critical transformational priority for our profession: Moving beyond hindsight to provide insight and foresight.
If there was an overarching theme to the headlines that grabbed our attention in 2023, it was related to the looming compliance risks that will emerge from new regulatory requirements in everything from cyber to the environment to how we ensure the quality of our own audit work. Here are my choices for six headlines that defined the year for internal auditors:
Cyber attacks can have catastrophic and far-reaching financial, operational, and reputational impacts. Internal auditors have long recognized cybersecurity preparedness as a vitally important facet of everyday risk management, and The Institute of Internal Auditors’ (IIA’s) professional standards have long required reporting significant risk and control issues to the board and senior management. But with the U.S. Securities and Exchange Commission’s (SEC’s) new cybersecurity rule (see AuditBoard’s complete guide), cybersecurity preparedness is now a compliance mandate.
The new SEC cybersecurity disclosure requirements require SEC registrants to publicly disclose the nature, scope, timing, and impact of material cybersecurity incidents via 8-K filings within four business days of determining materiality, and to disclose information about cybersecurity risk management, strategy, and governance via 10-Ks. Whether your organization is public or private, the new rule impacts you. Private companies that are third parties to registrants are potentially liable for any cyber incidents impacting them, and the SEC’s rule is a harbinger of similar legislation on the horizon. No organization can afford to ignore the import: The time is now to take a fresh look at cybersecurity — and cybersecurity disclosure — preparedness. Is your organization on the path to compliance?
The adoption of AI-powered solutions has increased rapidly in the year since ChatGPT’s launch pushed generative AI into the limelight. But as the world races to capitalize on AI’s extraordinary potential, efforts to understand, govern, and manage the risks around its use haven’t kept pace. AuditBoard’s 2024 Focus on the Future found that only 25% of organizations have defined the risks of, or created guidelines for, their use of AI, and a mere 40% of internal audit leaders have any understanding of how AI is being used in their organizations.
Governments and regulators worldwide are taking notice — and taking action. In 2023, the E.U. Parliament adopted a draft negotiating mandate of its AI Act, the first comprehensive AI law proposed by a major regulator. Just as the E.U.’s General Data Protection Regulation (GDPR) provided a global blueprint for data privacy regulation, the AI Act could also become a global standard. As states like New York and Colorado (see linked headline) pass AI-related regulations, Congress is contemplating various “guardrails,” including creating a federal agency to regulate AI and other technology platforms. Meanwhile, the World Economic Forum has tracked increasing global momentum to regulate AI.
AI regulation is coming faster than you think, and AI compliance risks should loom large on internal audit’s radar. Make sure your organization is closely monitoring regulatory and legislative progress, weighing in on proposals, identifying emerging risks, and preparing for compliance. Internal audit has a critical opportunity to provide eventual assurance on readiness and compliance.
The past year has also seen a global transformation in the environmental, social, and governance (ESG) risk disclosure landscape. After the E.U.’s European Financial Reporting Advisory Group (EFRAG) finalized its Corporate Sustainability Reporting Directive (CSRD) in December 2022, mid-2023 saw the release of the European Sustainability Reporting Standards (ESRS) detailing the metrics and principles organizations will use to comply with CSRD starting in 2024. The regulations apply to both E.U. companies and E.U. subsidiaries of non-E.U. parent companies, with compliance phased in over five years based on organization type and initial mandatory limited assurance.
The CSRD and ESRS are, however, just one part of a larger global puzzle of ESG disclosure requirements and standards. The U.K. adopted its Climate-Related Financial Disclosure Requirements in 2022, the IFRS Foundation’s International Sustainability Standards Board (ISSB) issued its inaugural standards in 2023, and the SEC is expected to finalize its climate disclosure rule within the next few months. Notably, in recognition of ESG’s potential impact on performance, all requirements, standards, and proposals integrate ESG and financial statement reporting. Make sure your organization understands the cross-border implications of its operations and is on the path to readiness, compliance, and eventual assurance. This includes identifying material ESG risks, enhancing or establishing relevant controls and reporting, and ensuring alignment with overall strategy.
In December 2022, the Public Company Accounting Oversight Board (PCAOB) issued a proposed standard addressing the auditor’s use of confirmation. A firestorm ensued in 2023, because — as The IIA’s comment letter pointed out — the proposed standard and subsequent PCAOB staff comments to the press included some rather unfortunate language insinuating that external auditors couldn’t rely on internal auditors to be objective in their work.
The fact that a regulatory body like the PCAOB raised such public questions about internal audit’s objectivity should be a wake-up call for the profession. In terms of internal audit’s objectivity in both fact and appearance, we must never let down our guard. While I’m pleased that internal auditors were able to get the PCAOB’s attention and the standards were finalized with more appropriate wording, the fact remains: If the PCAOB truly didn’t see the problem before we pointed it out, we have work to do in increasing regulators’ and external auditors’ confidence that internal audit is a reliable source of information.
Speaking of confidence in internal audit, the 2023 failure of Silicon Valley Bank (SVB) holds more cautionary lessons. When the Fed released a document trove related to its supervision and regulation of SVB, included was a December 2022 letter from the Fed to SVB’s board concluding that SVB’s internal audit “is not fully effective.” The letter noted several areas “below supervisory expectations,” finding that “the overall assessment was driven by material weaknesses in the risk assessment process, the process to define the IA audit universe, IA’s continuous monitoring, and audit execution.”
SVB’s internal audit function likely deserved this feedback. I would imagine that a great many internal audit functions deserve similar feedback. But the more pressing lesson is that internal auditors must constantly recognize the enormity of the risks facing our organizations, particularly in regulated industries. We also need to recognize that when unpleasant, foul-smelling substances suddenly become airborne, they will eventually hit that proverbial fan — and everyone will run for cover, hoping said substances will land elsewhere. They will point fingers toward internal audit if they can. Have you done all you can to ensure their arguments won’t be valid?
No list of internal-audit-defining headlines for 2023 would be complete without recognizing The IIA’s long-awaited release of a revised set of global professional standards for internal audit. The proposed revisions are the most comprehensive reforms in more than two decades. Representing a major evolution and significant overhaul of the International Professional Practices Framework (IPPF), the proposed standards signal an even greater commitment to internal audit quality and excellence going forward.
A transformation of this magnitude inevitably courts controversy. Indeed, The IIA’s release generated significant discussion, including 19,000+ specific comments received during the exposure’s public comment period. But for all practical purposes, the controversy will be moot the day The IIA releases the new standards (expected in early 2024) since compliance will likely be mandatory a year after issuance. Make sure you understand the proposed standards, stay tuned for the final standards, and prioritize conformance in 2024.
Continuing Internal Audit’s Journey from Hindsight to Foresight
Looking back at the year’s headlines is, of course, an exercise in hindsight. The key is using it to develop the insight and foresight that will help our organizations prepare for challenges and opportunities before they materialize. As we help our organizations anticipate what’s on the horizon — as well as what lies beyond — we must also be prepared to address all the new risks set in motion by the headlines and elevate the performance and stature of our profession. After all, our ability to provide foresight may well be the linchpin ensuring internal audit’s continuing relevance and value.
Richard Chambers, CIA, CRMA, CFE, CGAP, is the CEO of Richard F. Chambers & Associates, a global advisory firm for internal audit professionals, and also serves as Senior Internal Audit Advisor at AuditBoard. Previously, he served for over a decade as the president and CEO of The Institute of Internal Auditors (IIA). Connect with Richard on LinkedIn.