As the coronavirus (COVID-19) pandemic has changed the world, internal audit functions have needed to face that world differently. Before the outbreak, internal auditors worked in similar ways, following the same code of conduct, adhering to the same standards, and using many of the same tools.
Now, auditors have another thing in common: the need to adapt to frequently changing risk conditions.
COVID-19 has fundamentally changed the risk profiles of many organizations. As internal audit ramps up to a “new normal,” it must recalibrate its audit plan from a dramatically different risk perspective.
An Audit Plan in Peril
Let’s examine the timeline of events. Many internal audit functions started their risk assessment and audit planning process in late 2019. By early 2020, departments in most of the world had formed at least a skeleton of their audit plan, and some had communicated their formal plans to the audit committee and senior management.
Some audit functions began executing engagements in early 2020.
That all changed in March, when the coronavirus began to race swiftly around the world and businesses experienced the first effects of social-distancing measures. Operationally, many organizations altered their business practices. From a compliance perspective, some regulatory requirements were suspended or relaxed for entire industries during the outbreak.
As these response measures quickly escalated, many audit functions drastically altered their audit plans. Businesses experienced so much disruption that it was nearly impossible to execute some audit engagements, or there simply was no value in doing so.
Most respondents to an April 2020 IIA Quick Poll say they discontinued or reduced scope for some audit engagements, and nearly half canceled some engagements in response to COVID-19.
Four in 10 respondents indicate they redirected audit staff to nonaudit work. For some audit functions, temporary staff furloughs or budget reductions ended audit work or reduced staff activity to administrative duties.
The audit plan that existed before the pandemic is based on an old risk paradigm. In a post-pandemic world, chief audit executives (CAEs) must think differently about their organizations’ risks and how to redeploy audit resources.
Here are some questions CAEs should ask in rethinking their audit plans.
What does the organization’s new normal look like? Even businesses that were least impacted by COVID-19 will have systemic changes in their risk environment (see “Questions for CAEs” at the end of this article). There may be major fallout to institutions and systems that organizations rely on, and regulators, financial institutions, and supply chains may experience disruptions well past the point when at-home orders are relaxed. Some may no longer exist.
Is my risk assessment process agile enough? This question will be critical as CAEs begin prioritizing how to redeploy resources to address elevated risk in legacy risk areas as well as in new, uncharted territory. Risk assessments need to be agile because risk dynamics may change frequently in the near term. CAEs should evaluate and streamline legacy risk assessment processes.
Does my team still possess the skills to execute the risk assessment and audit plan? In the post-pandemic world, risk profiles probably will change — in some organizations, dramatically. CAEs need to evaluate the talent in their teams and internal audit’s ability to identify risks and execute engagements that focus on new types of risk. They need to address questions such as:
Are staffing levels different? And have there been any changes in talent?
Are there new talent needs as a result of changes to the organization’s risk profile?
Does my team still have an objective mindset?
Unprecedented times call for unprecedented measures, and during the COVID-19 emergency, many internal auditors have been called to duty in ways they never imagined. If auditors were engaged in nonaudit activities within the business or performing activities that normally would be incompatible with professional standards, CAEs should evaluate staff objectivity.
A New World of Risk
The world is different now, with different risks. Internal audit functions must recalibrate how they view the inherent risks their organizations face as the recovery period begins. Although pivoting from the old world to a new one is not a new phenomenon, the magnitude of COVID-19 impacts is more global and more severe than anything most auditors have experienced. Internal audit’s ability to respond is vital not only to how its business recovers, but also how audit realigns with its stakeholders’ needs.
Questions for CAEs
To assess their situation during the COVID-19 crisis, CAEs should ask:
Whatdoesorganizationalstaffinglooklikenow?Havethere been reductions or reorganizations?
should I anticipate?
Have workforce reductions or reorganizations impacted how internal controls are executed? Are there new segregation of duties concerns or controls that no longer have control owners?
Though not frequently used as phishing and malware attacks, Bluetooth hacking is equally a potent technique for many mobile device hackers. Bluejacking is a method of sending unsolicited messages over Bluetooth connections to Bluetooth- enabled devices such as mobile phones, PDAs or laptop computers. Through OBEX protocol, vCard typically containing a message in the name field (i.e., for bluedating or bluechat) is sent to another Bluetooth-enabled device.
Bluesnarfing is gaining unlawful access to information from a wireless device through a Bluetooth connection, often between Bluetooth-enable devices like phones, desktop & laptop PCs, and other PDAs.
OBEX protocol for Bluetooth business cards (vCard) is vulnerable and could be exploited for a hacker’s device to access the target’s device directly without their permission as long as their Bluetooth is turned on. The take away here is to always put off your Bluetooth when not in use.
install malware or establish covert unauthorized connections with the intention to use them later. While this form of attack is very potent, it is the most unlikely of them all given the effort required to get hold of the target device except where close family member or domestic staff are used to facilitate same.
Cybersecurity awareness and education is the foundation towards preventing the above listed attacks. Mobile users most understand the threat/attack vectors that could facilitate the perpetration of these forms of attacks and guard against them by exhibiting the right attitude to security.
They must be able to recognize phishing/smishing messages when they see one, ensure regular patching of their operating system software and applications for fixes that have been made by the OEMs and App vendors, limit physical access to their mobile devices, turning off file sharing services when not in use, among host of others.
What systems were temporarily modified or permanently changed? Were appropriate IT general controls followed for these changes, and, if not, what are the implications?
What controls were modified to accommodate unique business situations or risks?
Have there been any key personnel changes loss of unique subject-matter expertise or loss of key leaders in strategic areas?
Has the organization’s strategic focus changed in the near or long term?
Have there been fundamental changes in the organization’s debt and capital structures? Are there new or different debt covenants?
What new legal or compliance challenges is the organization facing (lawsuit exposures, changes to compliance infrastructure)?
Have new business opportunities emerged and have corresponding risks been identified?
Havethefundamentalsofbusiness-unitoperations or strategies changed?
How have business continuity dynamics changed (key infrastructure changes, key customer changes)?
How have enterprise risk management dynamics changed (key risks, key risk indicators, response plans, and risk appetite)?
How have U.S. Sarbanes-Oxley Act of 2002 dynamics changed, including changes with external auditors, regulatory dynamics, and control owners?