Cybersecurity and third parties are among omissions, Pulse says.
Internal audit departments are leaving key risks out of their audit plans, The IIA's 2020 North American Pulse of Internal Audit reports. The survey of 630 chief audit executives, directors, and managers reveals a glaring disconnect between high risks and audit priorities.
Take cybersecurity, rated a high risk by more than three-fourths of respondents. Cybersecurity is the Pulse's top risk, yet almost one-third say it's not included in the internal audit plan. Another disconnect is third-party relationships--more than half of respondents rate it a high risk, but less than half include it in the audit plan.
Then there is sustainability risk, which only 10% include in their audit plan. Although only 6% of respondents rate sustainability a high risk, there is growing investor interest in it (see "The Responsible Organization" on page 26). That also was the case for another rising investor priority--governance and culture--which less than half of respondents include in their audit plan.
Such shortfalls in risk coverage were noted in The IIA's OnRisk 2020 and American Corporate Governance Index studies...