Skip to Content

Update: Risk in Focus

Articles The Institute of Internal Auditors Oct 09, 2023

Practitioners around the world named digital disruption and climate change as risks that will continue to grow and require additional resources to manage, according to The IIA’s Global Risk in Focus 2024. The new series of reports identifies current and emerging risks for internal auditors in The Institute’s six international regions.  

The reports are based on a worldwide survey of 4,200 CAEs and directors, as well as focus groups and interviews. The initiative builds off the Risk in Focus report begun by the European Institutes Research Group in 2016.

Unique themes emerged for each region, reflecting practitioner focus and current events. For example, “digital transformation” is the theme for Africa, where a wave of digitalization is helping transform Africa’s economies and government systems. 

Meanwhile, “interconnected-ness” is the theme in Asia Pacific, where internal auditors say risks are complicated by the high level of economic and political inter-connections among countries in the region. The other themes are “macroeconomic instability” in Europe, “relationships” in Latin America, “professionalism” in the Middle East, and “collaboration” in North America.

“We encourage internal audit leaders to use the reports to open conversations with audit committees and top management about the most relevant risks for their organizations in the upcoming years,” says Javier Faleato, The IIA’s executive vice president of Global Strategy and Affiliate Relations.

Two types of reports, one on hot topics for internal auditors and one providing a “board briefing” summary to share with stakeholders, are available for Africa, Asia Pacific, Europe, Latin America, the Middle East, and North America. The reports are available at The IIA’s Risk in Focus resource page and the ECIIA website. —Christine Janesko

Cyber Disclosures Coming Soon

New SEC cybersecurity rules mandate more transparency. 

New U.S. Securities and Exchange Commission (SEC) rules that require publicly listed companies to disclose cybersecurity incidents went into effect in September. 

Adopted in July, the Commission’s Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rules give companies four days to determine if a cybersecurity intrusion is material and to report it to the SEC. The rules allow for a delay if the U.S. Attorney General determinesthat disclosure would be a risk to national security or public safety. 

The new rules also require SEC registrants to describe, in their annual 10-K report, how they assess, identify, and manage material risks from cybersecurity threats, detailing board oversight and management’s role and expertise. Foreign private issuers are required to make similar disclosures annually and in the event of a material cybersecurity breach.

The new rules reflect the SEC’s view that cybersecurity is not just an IT issue but a business issue that requires the full attention of today’s organizations. 

“Currently, many public companies provide cybersecurity disclosure to investors,” SEC Chairman Gary Gensler said in a press release. “I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way.” —Logan Wamsley

Ask an Expert: Trader Woes


2310 IA Web Resize Update-Expert.jpg

Sharon A. Martin is principal, Global Trade, at EY in Chicago.

AI on the Case 

Compared to organizations that don’t use AI and security automation extensively to detect cyber intrusions, ones that do use these tools spent: 

$106 million less

108 fewer days

identifying and containing a data breach.

Source: IBM Security, Cost of a Data Breach Report 2023


Feeling the Effects

Globally, financial institutions are beginning to experience the fallout from Russia-related sanctions:

  • 76% noted increased regulatory scrutiny in 2022.
  • 88% identify sanctions risk assessments as the top investment area in their compliance efforts.
  • 66% expect a further increase in spending related to sanctions compliance.
Source: Grant Thornton, Russia-related Risks Take Hold



Global chief risk officers list top external risks to their organizations:

  • 86% Macroeconomic indicators
  • 55% Pricing and supply distributions of key resources
  • 50% Armed conflict and the use of weapons
  • 50% Regulatory changes, compliance, and enforcement
Source: World Economic Forum and Centre for the New Economy and Society, Chief Risk Officers Outlook


Top reasons 4 in 10 U.S. workers with paid time off take less than their employer allows:

  • 52% Don’t feel the need.
  • 49% Worry about falling behind at work.
  • 43% Feel badly leaving coworkers with extra work.
  • 19% Worry it might hurt chances for advancement.
Source: Pew Research Center, “More Than 4 in 10 U.S. Workers Don’t Take All Their Paid Time Off”

How are geopolitical risks affecting organizations’ global trade strategies?

Many years of geopolitical instability, supply chain disruptions, and nationalistic policies have resulted in complex regulations impacting organizational approaches to global trade strategies. Businesses are facing higher customs duties, expanded export control restrictions, and more attention and enforcement over ESG issues. Organizations today face a heightened need to pursue global trade strategies that support effective, compliant risk management while also managing costs.

How should organizations respond to the risks?

Organizations with supply chain visibility through access to import and export data and knowledge of the physical movements of goods are able to identify risks and quantify trade-related costs. Equipped with this information, organizations can build effective monitoring programs. They also can cut costs by evaluating opportunities to reduce customs duties. “Smart” raw material sourcing — for example, to access preferential trade agree-ments or move to more favor-able locations not subject to the “301” tariffs — could significantly reduce a company’s costs related to trade.

Cross-functional support is another important consideration. Geopolitical risks intersect with many functions within an organization, including finance, logistics, trade compliance, procurement, and legal. Continuing and new requirements, particularly those related to ESG, such as forced labor, the EU’s Carbon Border Adjustment Mechanism, and deforestation regulations, require information and awareness from each of these functions to proactively address the risks.

Finally, talent and re-source management is key. Intentional hiring and well-established, compliant, and technology-enabled global trade processes can help organizations maintain the flow of goods with less supply chain disruption. Companies that achieve effective trade operational processes can free up resources, focus on strategies to manage risks, and design programs for reducing customs duties.  

The Institute of Internal Auditors