Did your last audit cover digital risks?

As organizations dive head-first into new technologies to avoid being victims of digital disruption, they’re taking on new risks that aren’t even on the radar of many auditors.

Kristina Podnar
January 12, 2021
- 4 min read

When news of Lori Loughlin’s alleged involvement in a college-admissions bribery scheme hit the news, it left a lot of brands scrambling for cover. Why? Loughlin’s daughter, Olivia Jade, is a social media influencer who had deals with numerous big-name brands.

That’s one of the risks of influencer marketing: The actions of your celebrity influencers reflect on your brand, and you have to decide what to do about it.

Olivia Jade has been dropped by Sephora, Unilever, Smashbox, and Too Faced. She’s trying for a comeback, but I don’t think it will happen to the level of relevant she used to enjoy. Nike, on the other hand, stood by their sponsorship of Colin Kaepernick amidst the uproar over his decision to kneel during the national anthem. Reportedly, the marketing department had decided to cancel his contract, but the CEO, worried about the potential backlash, overruled their decision, and the company ended up making Kaepernick the star of their 30th anniversary ad campaign.

Two different celebrity influencers, two different outcomes. What they have in common is that, in both situations, the brands were caught with their proverbial pants down -- something that might not have happened if an internal auditor or digital policy steward had looked at digital risks with the same scrutiny given to financial and operational risks. If they had done so, they could have anticipated and made plans for any controversy surrounding their celebrity influencers.

The role of the auditor is changing.

Traditionally, auditors have been responsible for making sure organizations have their financial affairs in order -- examining financial statements, preparing and filing tax returns, assessing internal controls, looking for evidence of corruption, etc. They also assess risk, such as a critical supplier’s financial instability or the potential collapse of government in an area that supplies an essential raw material.

But, as organizations dive head-first into new technologies to avoid being victims of digital disruption, they’re taking on new risks that aren’t even on the radar of many auditors. And some of those risks are enormous. That’s why it’s critical that auditors look beyond legacy risks and start thinking about digital risks.

Let’s take a look at what a few of those risks are:

Artificial intelligence

Artificial intelligence creates risk when it’s based on flawed data as well as when the algorithm itself is flawed. That type of risk can result in missed opportunities (like making irrelevant product recommendations to customers) or in negative consequences, such as a class action lawsuit claiming that the algorithm a bank uses to process loan applications disproportionately rejects applications form minorities.


Automation creates risks when circumstances change, but automated processes don’t change with them. One organization, for example, garnered a lot of criticism when its automated pricing algorithm raised prices during a national emergency. With everyone focused on the crisis, no one thought about the automated processes that were still operating in business-as-usual mode.

Cultural roadblocks

Cultural roadblocks come in two primary flavors:

  • The old guard that refuses to change the way they do things: Some top executives guard their turf and are resistant to any technological changes that could undermine their power. (“If AI makes so many decisions, what does the organization need me for?”) And some employees who are nearing retirement may not be motivated to learn an entirely new way of doing things.
  • The young lions who think nothing of using unapproved technology: The young adults entering the workforce today are digital natives: They can’t remember a time when technology wasn’t an integral part of their lives. Technology is so normal to them that they think nothing of things like using their own devices for work purposes, or downloading apps or plugins to their work devices. Both of those actions create risk by threatening the organization’s data security.

Those cultural roadblocks can bring an organization’s digital transformation to a grinding halt...or precipitate a digital crisis capable of bringing it to its knees.


A data breach that exposes the personal data of thousands of customers. A Stuxnet-like attack that brings manufacturing operations to a halt. Highjacking of implantable medical devices, threatening the lives of hundreds of patients. Cybersecurity risks are everywhere, and they’ll only increase as our processes and devices become more connected.

Data management

Data has traditionally been seen as an asset, but organizations are quickly learning that it’s also a risk: The average global cost of a data breach is $3.62 million.  In addition, as the number of countries with strict privacy laws continues to increase, so does the risk of organizations inviting significant fines and penalties.

Striking a balance between risk and opportunity

Digital transformation has made auditors’ jobs a lot harder. Not only do they need to learn about the risks associated with doing business in the digital realm, they also have to learn about the opportunities it offers. Only then can they advise organizational leaders on which risks are worth taking and which aren’t.

Are your organization’s auditors up to speed on assessing digital risk? If not, this is the time to think about extending practices to encompass all digital risks.

Photo by Ben Carless on Unsplash

Related industries:
Related functions: