审计计划：构建有效的审计世界

2025 Audit PlanHot Spots Introduction Chief Audit Executives can use this research report to: Each year, Gartner creates the Audit Plan Hot Spots report by combininginput from interviews and surveys from throughout our global network ofclient organizations, as well as extensive secondary literature reviews andinsights from internal experts, to identify the top risks audit should provideassurance over during 2025. Benchmark Audit Plan CoverageCompare, validate and further examine audit plancoverage. The report highlights current risksandtrends in the business environmentand helps audit teams more effectively identify risks to the organization andhighlight key risks for stakeholders. These risks, or hot spots, are the top-of-mind issues for boards, audit committees and executives in organizations ofall sizes across industries and geographic locations. Educate the Audit CommitteeEducate the audit committee on risk trends thataffect global organizations. This abbreviated version of the 2025 Audit Plan Hot Spots report includes:•Key themes underlying this year’s hot spots •Top 12 risks across IT, operational, financial, and strategic themes•A deep dive into urgency drivers, recommended actions, and keyquestions for 3 of the top risks•Comparison ofhot spots across the past 5 years Drive Audit Team DiscussionsEnable audit teams’ discussions prior to audit engagement planning and scoping. Assess Key RisksDetermine appropriate questions to ask To access the full research report and related resources, guidanceand tools, contact us to learn more about becoming a Gartner client. management during risk assessment and auditscoping. 3 Themes Underlying the 2025 Hot Spots Winning Through Change Optimizing ResilienceInvestments Implications of AI Adoption1 Organizations must continue tonavigate an environment of larger-scale and more frequent change,creating challenges for both definingand executing strategies. Theaccelerating pace of technologicalinnovation is inducing organizationsto undertake massive digitaltransformation efforts. Organizationsmust also actively prepare forlonger-term impacts of climatechange and demographic shifts thatwill impact operating models,workforces and consumer markets. One theme has dominated both thebusiness world and culture at largein the past year: the burgeoning AIrevolution. Yet while organizationsare investing heavily in AI, manystruggle to quickly achieve high-quality results. A clash betweenunrealistic expectations and a hostof implementation challenges—from lagging data quality to a lack ofrobust internal controls—could seemany organizations falling short ofAI’s transformative potential,especially in the short term. The CrowdStrike Windows outage inJuly 2024 was a resounding wake-up call on the importance ofresilience. Scenario planning, whilean important preparatory measure,can only scratch the surface ofpotential sources of disruptionacross IT systems, cybersecurityperimeters and supply chains. As aresult, organizations must investsignificant resources in buildingcapabilities to respond quickly to theunexpected. Perhaps the thorniestchallenge when it comes toresilience is rightsizing investments,effectively triaging where resourcesshould be allocated. 2025 Audit Plan Hot Spots 2025 Audit Plan Hot Spots Cybersecurity Vulnerabilities DeepDive Challenges bolstering identity verification techniques, especially to adapt to growing threats like AI, and insufficient investments in cyber breach response and recoveryare contributing to what cybersecurity professionals describe as the most challenging threat landscape of the past five years.1Cybercriminals are conducting moresophisticated social engineering attacks, and deepfake incidents saw a tenfold increase between 2022 and2023.2Meanwhile, the overall volume of threats continues togrow. Eighty-one percent of organizations experience at least 25 cybersecurity incidents a year, suggesting it is no longer a question of if an attack will occur, butwhen.3Yet investments in response and recovery capabilities are nowhere near the level they need to be. For example, only 25% of CISOsare defining and automatingincident response processes across different teams and individuals.4Failure to adapt to evolving attack vectors and invest sufficiently in cyber resilience could increasethe likelihood of data breaches and business continuity disruptions. Plans to Cover Cybersecurity Vulnerabilities in Audit Activitiesin the Next 12-18 MonthsPercentage of Respondents Confidence in Audit’s Ability to Provide Assurance OverCybersecurity Vulnerabilities RiskPercentage of Respondents Cybersecurity VulnerabilitiesUrgency Drivers Key Risk Indicators Identity Verification and Management Challenges Identities represent one of the biggest threats to organizations: In the last 12 months, 93% of organizations sufferedtwo or more identity-related breaches.5Yet organizations struggle to meet evolving needs, as 47% are notadequately staffed