Auditors will be dealing extensively with ransomware and the long-term effects of the pandemic in their audit plans for next year, according to new research from Gartner.
The data analyst's 2022 Audit Plan Hot Spots report also unearthed audit concerns about other risks in the IT sphere, including data analytics and IT governance, in the wake of the increased significance of digital capabilities due to COVID-19.
Along with ransomware, societal expectations of companies — like environmental, social and governance risks — as well as operational resilience, were identified as top risk areas for auditors next year.
“Ransomware attacks have become increasingly prevalent and sophisticated,” says Gartner research director for audit and risk practice Zachary Ginsburg. “They are becoming a top focus for both boards and management.
Gartner says many of the 12 risk hot spots – such as economic uncertainty, workforce management, and business continuity – relate to the ongoing effects of the COVID-19 pandemic.
2022 Audit Plan Hot Spots
- Data and analytics governance
- Digital business transformation
- IT governance
- Third parties
- Business continuity and organisational resilience
- Environmental, social and governance (ESG)
- Supply chain
- Strategy execution
- Workforce management
- Retention and recruitment
- Economic uncertainty
“Ransomware is resulting in revenue and data loss, compromised data, reputational damage, significant operational disruption and more,” said Ginsburg.
“Regardless of their size or revenue, organisations should assume they will be targeted with ransomware, and they should examine their prevention, detection, mitigation, response and recovery measures.
Gartner experts recommend five initial steps for auditors to assure their organisations' efforts to mitigate risk from ransomware attacks:
- Evaluate employee security training
- Assess external relationships for ransomware support services
- Review ransomware attack response plans
- Assess data storage policies
- Review service provider ransomware attack communication protocols
- Diverse risk landscape
Although ransomware should be a key concern for auditors in 2022, there are many pressing risks covered within the 12 hot spots that must not be left unaddressed. Many relate to the ongoing economic impact of COVID-19, which has created massive turbulence in global markets.
“Global business operations continue to be disrupted by supply chain issues, shortages, and other ongoing market effects from the pandemic-era economy,” said Ginsburg.
“These include fierce competition between organisations for talent, greatly increased shipping prices and times, and shortages of key goods such as semiconductors.
ESG matters have also taken on a new momentum in recent times, with enterprises making public commitments in this area and social and investor activism reaching new levels of intensity.
This is creating risks for companies that are not meeting the expectations of investors, regulators, consumers, prospective and current employees, and others.
“2022 looks like a year that will feature an especially diverse array of unpredictable and highly impactful risks,” says Ginsburg.
“Audit will need increase its capacity to assess such risks and provide related assurance over them to keep up with a highly turbulent risk landscape.