The COVID-19 pandemic has caused a shift in how many internal audit functions operate within businesses. These functions must revisit their role within business continuity efforts and how the organization is addressing the threats and uncertainties of today. With some adjustments, internal audit can enhance processes and reduce risks in a new work environment, and provide a new level of value to the organization.
The impact of COVID-19 is different for each organization. Internal audit should consider the following practices as it looks to support the business and its stakeholder needs.
Risk assessment and priorities
Internal audit functions should revisit their audit plans and activities to determine how risk has changed and how best to allocate resources to better support the business. In many instances, organizations are necessitating delays or audit cancellations to focus on immediate business continuity efforts. Internal audit should work with the business leaders to understand the effects of COVID-19 and management plans in order to better align its activities.
We are seeing internal audit advise business on management plans and raise risk considerations for informed decision-making. As management implements new processes, systems and activities to address the evolving needs, internal audit should advise the business of potential vulnerabilities or gaps that may not be considered.
Continued operations for in-person activities
Audit executives are shifting their existing plans from in-person activities to remote work environments. Many audits, activities and operations that typically require on-site and in-person involvement can most likely be performed remotely while adjusting audit test steps and processes.
For operations that require in-person activities, executives are adding shifts throughout the day for fewer face-to-face interactions. For example, companies considered essential are creating alternating shifts of four-to-five hours each for on-site work to reduce the number of people in the building at any given time.
Collecting evidence and reviewing documentation remotely via Microsoft Teams, Webex or Zoom may solve the need to go on-site to perform an audit. If going on-site is an absolute necessity, pushing the on-site test steps to later in the year might make sense, while teams perform as much of the work remotely as possible in the meantime.
With remote working, internal audit may see additional challenges obtaining support and information when performing audits. Auditees may have competing priorities, responsibilities with family and children at home, and other commitments. It is more important than ever that internal audit work with the business and auditees to understand schedules, preferred methods of communication, and regularly connect with stakeholders to discuss progress and challenges. Internal audit should factor in additional time for delays and the unexpected during times like this.
Internal audit may also consider revising its traditional approach to auditing certain areas. Many audit functions are adopting more agile approaches to internal audit. Based on perceived risk, some internal audits are creating a backlog of items to be reviewed and carry out sprints (short bursts of planning, testing, reporting and collaboration) against those items.
This approach provides flexibility, fosters collaboration and creates fast audit execution. With uncertainties in the business environment and emerging risk, an agile approach is iterative and allows internal audit to better prioritize and adjust activities based on the risks.
This is the time to think outside the box and see how internal audit can be as efficient and productive as possible with audits, assessments or reviews, and remain safe at the same time.
Redeploy audit staff
When audits and assessments are delayed, other critical functions and processes may take precedence, and several of these processes may be completely new. Audit executives are redeploying audit staff to support these functions as they learn, build and expand new skill sets. The pandemic is forcing companies and executives to face brand-new challenges, and leveraging each other to support these challenges is essential.
For example, several chief audit executives are leveraging auditors to assist with the establishment of new standard operating procedures or interim policies for departments. Auditors are performing cost-benefit audits instead of operational audits to identify cost savings. Here are a number of other ways internal audit can help:
- Work with the business to reduce dependence on physical documentation and physical signoffs. This may include:
- Training process owners on using e-signing mechanisms
- Helping with scanning and archiving documents to the cloud
- Develop checklists for control owners to help with control and process execution (for example, adding a detail review procedure that can be added at the beginning of an Excel workbook showing the review steps).
- Develop baseline key reports.
- Perform data analytics on the company’s vendor activity, traveling expenses, etc., and develop trends for future use. Identify cost savings or anomalies in the transactions.
- If the organization is public and large, develop questionnaires covering the most critical controls and roll those out to the smaller business units that may not be in scope for SOX.
- Host virtual trainings.
Data privacy in the remote environment
With the rapid decentralization of so many businesses across the world as stay-at-home or shelter-in-place orders continue, organizations that are subject to data privacy requirements should ensure that changes to their internal operations do not result in noncompliance.
For example, if your organization has a commitment to maintain and store data within a certain geographic boundary, the sudden deployment of the remote work environment could result in users accessing data from outside that area. This situation can be especially difficult to monitor for multinational organizations that may have data privacy commitments in various jurisdictions or organizations that are allowing users to connect personal devices to the remote workplace.
Internal auditors should review organizational privacy commitments and requirements to fully understand the obligations of their organization and how those obligations may be affected by the remote work environment. Internal auditors can also collaborate with information technology personnel to monitor traffic and data flows across their network to identify connections or transmissions across geographic boundaries.
Emerging and evolving risk areas
Specific areas of risk are emerging from this new work environment. Internal audit needs to be keenly aware of these risks and work with the business to understand the effectiveness of the company’s risk management practices. The following areas are some examples internal audit should consider for potential threats or vulnerability:
- Business continuity planning and disaster recovery
- IT and cyberthreats
- Health and safety
- Data privacy
- Operations and supply chain
- Strategy and branding
- Liquidity and finance
As the COVID-19 pandemic continues to evolve, internal audit has an important role to play within the organization and has the opportunity to look at a number of creative ways to support the organization and its teams.