Environmental, social and governance jumped to No. 2 on the list of emerging risks for audit professionals, Jefferson Wells found, just behind cybersecurity. (Photo by Sean Gallup/Getty Images)

Jefferson Wells, the tax professional services arm of ManpowerGroup, reported on Tuesday that while cybersecurity continues as the No. 1 risk among audit professionals, environmental, social and governance (ESG) jumped up to No. 2 on the list of emerging risks.

The study found that with the growing importance of ESG, 71% of chief audit executives (CAE) are including an ESG assessment in their audit plans. And, as ransomware and other attacks have exponentially increased in both frequency and ferocity, internal audit departments have shifted more attention to preventative, strategic methods of cyber defense.

“Cybersecurity remains the top concern for many executives, who are seeing their audit teams expand coverage of information technology governance," said Jim Gusich, the chief audit executive at ManpowerGroup. "But this year's survey also reveals the growing importance of ESG as more organizations are increasing their commitment to developing comprehensive ESG strategies in 2023 and beyond."

Data security and privacy are both areas that have top priority at the board and executive level, and they will be tasking their audit executives to give them greater comfort that the organization's data protection and cybersecurity control are adequate for the current threat audit, said Claude Mandy, chief evangelist, data security at Symmetry Systems.

“Given the complexity and scale of data being collected, used and stored by organizations, audit functions will need more sophisticated tooling to ensure that controls to protect data are implemented adequately across their organization's most important asset: data,” Mandy said. “This should include tools that can provide continuous auditing capabilities on the organization's data security posture, also known as data security posture management.” 

Piyush Pandey, chief executive officer at Pathlock, added that the lack of human resources that audit departments face speaks to the immediate need for automated controls testing, especially those controls related to segregation of duties and data security. 

“Deferring audits creates a situation of compounding risk, which results in greater chances for fraud, lost revenue, and material weaknesses to grow, which can be very difficult for companies — especially those regulated and/or publicly traded — to recover from,” Pandey explained.

Jerrod Piker, competitive intelligence analyst at Deep Instinct, added that as cybersecurity remains the top risk, this means that even with shrinking budgets, organizations are still realizing the need for solutions and services that enable them to get out ahead of cyberattacks.

Piker said it’s also worth noting that internal audit teams are beginning to shift focus to preventative technologies because of the rise in ransomware and other catastrophic cyber threats.

“For security teams, this means that they should also be thinking about prevention as a first line of defense,” Piker said. “Effective prevention means less work on the back end for security teams to sift through IoC [indicators of compromise] and IoA [indicators of attack] data to prioritize response activities. Most preventative solutions also include automated response capabilities, which can not only reduce the attack surface, but cut down on the man hours required to determine root cause and perform post-breach mitigation and cleanup.”