ICAEW.com works better with JavaScript enabled.

Cyber security tops business risks, but AI on the rise

Author: ICAEW Insights

Published: 02 Oct 2024

Contents
Poll of chief internal auditors reveals AI, cyber and digital threats will dominate the risk landscape for 2025 and beyond.

Cyber security continues to dominate the list of business risks, according to a poll of chief internal auditors (CIAs). However, concerns about the risks presented by artificial intelligence (AI) are rising faster than any other business-critical issue.

The Chartered Institute of Internal Auditors (Chartered IIA), which conducted the research among almost 1,000 CIAs across 20 European countries, says deep-fake attacks and increasingly intense AI-powered hacks helped cyber security and data security retain its long-standing position as the top threat; 83% of respondents cited it as a top five risk. 

An increasingly weaponised cyber-attack landscape is demonstrated by the recent CrowdStrike event that brought global IT systems to their knees, the incident that affected several NHS Trusts due to attacks on third-party suppliers leading to the cancellation of operations, and the attack on Transport for London that led to some customers’ financial data being hacked. 

Increasingly sophisticated and frequent cyber attacks

The cyber-security threat is forecast to remain the leading risk for the next three years, reflecting heightened concerns over increasingly sophisticated and frequent cyber attacks, affecting everything from customer data to patient safety. 

Human capital, diversity, talent management and retention held its second-place ranking with more than half (52%) of Chief Internal Auditors placing it as a top five risk. Balancing shifting demographic trends with skills and budgetary shortages at a time of increased digitalisation is a key challenge for many organisations. Meanwhile, changes in laws and regulations ranked third (46%). 

Risk in Focus, the Chartered IIA’s flagship report, warns that an evolution of technological threats is transforming the risk landscape like never before. In particular, AI has emerged as the fastest-growing risk to business.

AI fastest rising risk to business

AI now ranks as the fourth biggest risk this year – up from sixth a year ago – and is the fastest rising risk category, with 40% of respondents citing it as a top five risk, up from 33% a year ago. The Chartered IIA says organisations are under increasing pressure to keep up with competitors and harness fast-evolving technology to meet growing consumer demands. 

An explosion in digital disruption and use of new technology and AI means that the AI risk is expected to further increase, with respondents saying they expect it to be the second biggest risk by 2028. 

Anne Kiem OBE, Chief Executive of the Chartered IIA, says AI’s rapid rise as a business-critical risk underscores the unprecedented pace of digital transformation: “While these technological advances offer tremendous opportunities, without proper safeguards they also pose significant threats. Internal audit is uniquely equipped to provide assurance that cyber, digital and technology-related controls are not only in place but effective.”

Good cyber hygiene 

Ian Pay, ICAEW Head of Data Analytics and Tech, says that despite the rising risk profile of AI, the risks presented by cyber security – with more than twice as many CIAs citing it as a top five risk compared to AI – should be reflected in organisations’ risk strategies: “In terms of the risk to an organisation’s fundamental ability to operate, cyber security correctly remains top of the list. This is as much about the security of your own virtual walls as having a strong understanding of the cyber controls and resilience in place throughout your supply chain. 

“While AI and wider digital disruption may change the way organisations operate, cyber security is far more pervasive and risks far greater impact on organisations if – or rather when – a cyber attack occurs. The fact that recruitment and retention is the second biggest risk chimes a lot with everything we keep hearing, including from our recent evolution of mid-tier practice research.”

The Chartered IIA is urging boards and senior management to harness their internal audit teams’ expertise to assess the effectiveness of cyber and digital controls. Where controls are found lacking, internal audit can play a critical role in recommending improvements to protect businesses from these emerging threats, it says.

Policies, processes and controls

As an oversight role, the risks highlighted in the Chartered IIA research would chime with many of the risks faced by the wider business, Pay says. “It is a challenge for both the business as a whole and internal audit teams specifically to keep up to speed on latest technologies, and to ensure that business functions have appropriate policies, processes and controls in place to mitigate the risks associated with technologies such as AI, including bias, hallucinations, data privacy and so on.” 

Peter van Veen, ICAEW Director, Corporate Governance and Stewardship, says: “The report highlights the increasing number of risks that internal audit and the board’s audit committee have to deal with. We concur with the report’s call to action to use internal audit to assess the effectiveness of cyber and digital controls. However, it is important for boards to tackle all material risks. As the report highlights, CIAs see significant risks around human capital, changes in laws and regulations, macroeconomic and geopolitical uncertainty and sustainability, all of which deserve equal attention.”

Macroeconomic and geopolitical uncertainty was cited by 39% of CIAs as a top five risk, driven by the war in Ukraine and conflict in the Middle East. Meanwhile, climate change, biodiversity and environmental sustainability were highlighted as a top five risk by 33% of CIAs, with regulatory pressure expected to push this risk higher by 2028, particularly in light of the EU’s Corporate Social Responsibility Directive along with other climate and environmental laws and regulations.

The top 10 business risks 

  1. Cyber security and data security (83%)
  2. Human capital, diversity, talent management and retention (52%)
  3. Change in laws and regulations (46%)
  4. Digital disruption, new technology and AI (40%)
  5. Macroeconomic and geopolitical uncertainty (39%)
  6. Climate change, biodiversity and environmental sustainability (33%)
  7. Business continuity, operational resilience, crisis management and disasters response (32%)
  8. Market changes, competition and changing consumer behaviour (32%)
  9. Supply chain, outsourcing and ‘nth’ party risk (29%)
  10. Financial, liquidity and insolvency risks (27%)

(% of Chief Internal Auditors ranking as a top five risk)
Source: Chartered IIA Risk in Focus 2025 report

Cyber security awareness

Each year ICAEW marks global Cyber Security Awareness month with a series of resources addressing the latest issues and how to protect your business.

Close up of woman's hand holding a mobile phone, with a lap top open in the background. On the phone is the image of a padlock
  1. Cyber security tops business risks, but AI on the rise
  2. ICAEW reaffirms commitment to gender balance
  3. ICAEW makes business tax case at Labour Conference
  4. How should the UK foster a climate for smarter regulation?
  5. The FCA’s Safeguarding consultation explained
  1. Tax news in brief 2 October 2024
  2. ICAEW helps to plot business tax roadmap
  3. The ups and downs of the VAT registration threshold
  4. Economy explainers: e-invoicing
  5. Tax news in brief 25 September 2024

Further resources

ICAEW Community
Magnifying glass and pen
Internal Audit Community

Essential resources, support and news on the latest technical and regulatory changes impacting the internal audit function. Membership is open to everyone, including non-ICAEW members.

ICAEW Community
Boardroom
Corporate Governance

Stay up to date with the latest news and developments in corporate governance, to help you in your role as a board member, NED or corporate governance professional. Membership is free and open to everyone

ICAEW support
A pair of hands holding 3 blocks showing compliance symbols
Training and events

Browse upcoming and on-demand ICAEW events and webinars covering corporate governance and stewardship.

See what's coming up A-Z of CPD courses
Open AddCPD icon

Add Verified CPD Activity

Introducing AddCPD, a new way to record your CPD activities!

Log in to start using the AddCPD tool. Available only to ICAEW members.
Login

Add this page to your CPD activity

Step 1 of 3
Download recorded
Download not recorded

Please download the related document if you wish to add this activity to your record

What time are you claiming for this activity?
Mandatory fields
Next step

Add this page to your CPD activity

Step 2 of 3
Mandatory field
Back Next step

Add activity to my record

Step 3 of 3
Mandatory field
Back Add activity to my record

Activity added

Go to my CPD record

An error has occurred
Please try again

If the problem persists please contact our helpline on +44 (0)1908 248 250
Add activity to my record