Top Risks for Audit Leaders

Internal audit leaders face an increasingly digitalized and challenging risk landscape as they make their audit plans for 2020.

The annual Gartner Audit Plan Hot Spots report profiles the top risks impacting organizations in 2020 with insight on how audit functions plan to provide assurance over these risks.  Data Governance tops this year’s list at the key concern of Chief Audit Executives and other stakeholders.

“Chief audit executives (CAEs) are increasingly concerned about how to govern, protect and best utilize data,” says Malcolm J. Murray, VP and Team Manager at Gartner. “Despite its strategic importance, organizations have been slow to adopt data governance frameworks, putting them at risk of large fines, poor strategic decision making and misallocation of critical resources.”

Similar to 2018, uncertainty and volatility are prevailing features of 2019 and show no signs of abating

The Audit Plan Hot Spots report is derived from interviews and survey data from over 200 CAEs. 

In 2020, the top risks that are most important for internal audit to provide the board with assurance over are underlaid by four major themes:

  • Increased organizational complexity
  • Heightened stakes for managing and protecting data
  • Digital business transformation
  • Heightened geopolitical and regulatory volatility

Increased organizational complexity

As organizations pursue new market opportunities, build greater ecosystems of partners and continue to digitalize, they become increasingly complex. This complexity, combined with the increasingly volatile risk landscape, leads to higher potential for disruptions and more challenges in strategy execution. Audit leaders must account for these realities:

  • New business models are changing the skills profile needed to achieve business objectives, while fragmented risk management practices hinder organizations’ ability to be resilient in the face of inevitable disruption. 
  • New technologies complicate already complex IT infrastructures, requiring more hard-to-find technical talent. 
  • Changing employee expectations and expanding business models require organizations to rethink their approaches to strategic workforce planning.
  • With regulators increasingly targeting unethical behavior and risk surprises becoming more frequent, organizations need to do more to ensure that decisions are made through a risk lens. This may become even more pressing, as any economic downturn will put organizations at higher risk for unethical behaviors.

Coordination problems continue to plague organizations, leading to risk management lapses as risks become more intertwined and require cross-functional oversight

6 Shifts GC Must Make by 2025

Discover how to build a more flexible, resilient legal department

Download Action Plan

Heightened stakes for managing and protecting data

Data is a key differentiator for organizations in improving risk management, maintaining competitive advantage and increasing efficiency. However, organizations struggle to manage, protect and capitalize on the large amounts of data available. Data management failures have drawn regulatory and public scrutiny, leading to increased regulations and pressure on organizations to rethink their use of data. To maximize the ability of data to unlock business value while minimizing the risk of fines and reputational damage, organizations must manage and protect data.

Clear governance strategies are essential to harness the power of big data, meet regulatory requirements and make the most of new digital technologies. Despite the strategic importance of data, organizations have been slow to adopt data governance frameworks, putting them at risk for large fines, poor decision making and misallocation of critical resources.

Robotic process automation (RPA) and artificial intelligence (AI) are complicating already complex IT infrastructures and increasing security vulnerabilities

As the number of data breaches continues to rise, so too do public and regulator scrutiny of data protection practices. As a result, data privacy remains a top concern for organizations across the board. From complying with existing regulations, such as General Data Protection Regulation (GDPR), to preparing for new regulations yet to take effect throughout the world, organizations must establish processes to deal with the growing patchwork of regulatory requirements. 

Digital business transformation

Competitive and market pressures are driving organizations to increase their investments in digital transformation. Seeking efficiencies and cost savings, organizations are rapidly undertaking pilots without adequately devising strategies, leading to high rates of project failure as well as limited realization of benefits. 

“The expanding deployment of advanced technologies, most notably robotic process automation (RPA) and artificial intelligence (AI), are complicating already complex IT infrastructures and increasing security vulnerabilities,” says Murray. “Combined with the need to move quickly to keep up with competition, this results in a decreased focus on governance and oversight and weakened internal control systems.” 

IT serves as the foundation of most organizations’ business strategy, making IT governance a key point of focus

To mitigate the risks and take advantage of the upside of current and future transformation efforts, organizations must address these risk areas:

  • As the number of entry points into organizations grows, and cybercrime becomes ever-more profitable, the number of cyberattacks continues to rise. The expanding connection of cyber and physical assets, combined with the exploitability of careless employee security behavior, is escalating cyber vulnerabilities. 
  • Investments in AI are rapidly increasing, given the significant potential to drive business value. However, without attention to problems with training data and its susceptibility to tampering, organizations risk unintended compliance and ethics violations and significant reputational damage.
  • IT serves as the foundation of most organizations’ business strategy, making IT governance a key point of focus. As more organizations increase investments in technologies, such as RPA, and gradually modernize their legacy systems, they must pay attention to governance, security and management of IT assets.
  • Projects are essential components to strategies to stay relevant and competitive in the current disruptive environment, yet most organizations struggle to establish standardized and effective project management practices. Without these practices, organizations are wasting resources and indispensable innovation dollars that could be reinvested elsewhere, failing to maximize project outcomes and scale project benefits throughout the organization. 

Heightened geopolitical and regulatory volatility

Similar to 2018, uncertainty and volatility are prevailing features of 2019 and show no signs of abating. The number of disruptive forces that organizations face continues to grow, while important policy questions remain unsolved. Facing challenges to traditional business models, organizations are advancing digital transformation initiatives and redesigning their strategies to remain competitive. These factors lead to these risk areas:

  • A new wave of regulatory developments — not just on data privacy — is underway in response to escalating cyberbreaches and concerns over climate change. Accordingly, organizations must take steps now to comply with existing regulations as well as prepare for potential future regulatory action in these and other areas.
  • Many organizations are already feeling the effects of high levels of uncertainty and volatilities in the global trade system. Combined with the rise in volume and scale of extreme weather events and other natural catastrophes, organizations face significant challenges in terms of supply chain security.
  • The number of third parties that organizations work with continues to steadily grow, along with the diversity and criticality of the tasks they are entrusted to perform. As third parties become more intertwined with critical organization functions, systems and data, negligence and failures at third parties are creating new compliance challenges and the risk of financial and reputational damage.

This article is based on insights that are part of an in-depth collection of research, tools, templates and advice available to Gartner clients.


Gartner Audit Leadership Council members can read more in 2020 Audit Plan Hot Spots.

Get Smarter

Follow #Gartner

Attend a Gartner event

Explore Gartner Conferences

View Free, Relevant Gartner Research

Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.

Read Free Gartner Research


Get actionable advice in 60 minutes from the world's most respected experts. Keep pace with the latest issues that impact business.

Start Watching