Top risks auditors should cover in their 2022 audit plans

Ransomware and the long-term effects of COVID-19 on markets and organizations are key items to cover in 2022 audit plans, according to a Gartner report. The report also identified evolving societal expectations for enterprises, such as environmental, social and governance (ESG) risks, and operational resilience as top risk areas for 2022.

“Ransomware attacks have become increasingly prevalent and sophisticated,” said Zachary Ginsburg, research director for the Gartner Audit and Risk practice at Gartner. “They are becoming a top focus for both boards and management.”

Audit concerns about other digital and IT risks, such as data and analytics and IT governance, also reflect the increased importance of digital capabilities in the wake of COVID-19, and the need for rigorous assurance over associated risks. Many of the 12 risk hot spots – such as economic uncertainty, workforce management, and business continuity – relate to the ongoing effects of the COVID-19 pandemic.

2022 audit plan hot spots

• Ransomware
• Data and analytics governance
• Digital business transformation
• IT governance
• Third parties
• Business continuity and organizational resilience
• Environmental, social and governance (ESG)
• Supply chain
• Strategy execution
• Workforce management
• Retention and recruitment
• Economic uncertainty

“Ransomware is resulting in revenue and data loss, compromised data, reputational damage, significant operational disruption and more,” said Ginsburg. “Regardless of their size or revenue, organizations should assume they will be targeted with ransomware, and they should examine their prevention, detection, mitigation, response and recovery measures.”

Providing assurance

Experts recommend five initial steps for auditors to provide assurance over their organizations’ efforts to mitigate risk from ransomware attacks:

• Evaluate employee security training
• Assess external relationships for ransomware support services
• Review ransomware attack response plans
• Assess data storage policies
• Review service provider ransomware attack communication protocols
• Diverse risk landscape

Although ransomware should be a key concern for auditors in 2022, there are a lot of pressing risks covered within the 12 hot spots that must not be left unaddressed. Many relate to the ongoing economic impact of COVID-19, which has created huge turbulence in global markets.

“Global business operations continue to be disrupted by supply chain issues, shortages, and other ongoing market effects from the pandemic-era economy,” said Ginsburg. “These include fierce competition between organizations for talent, greatly increased shipping prices and times, and shortages of key goods such as semiconductors.”

ESG matters have also taken on a new momentum in recent times with enterprises making public commitments in this area, and social and investor activism reaching new levels of intensity. This is creating risks for companies that are not meeting the expectations of investors, regulators, consumers, prospective and current employees, and others.

“2022 looks like a year that will feature an especially diverse array of unpredictable and highly impactful risks. Audit will need increase its capacity to assess such risks and provide related assurance over them to keep up with a highly turbulent risk landscape,” said Ginsburg.