How many of us could have foreseen the changes that have occurred since COVID-19 was first identified?
Many, if not all, aspects of our lives have been impacted. As internal auditors, we think about the impact of risk every day. Going forward, COVID-19 will change how we think about and communicate many of the risks that we may not have fully contemplated before.
Our experiences will also cause us to rethink our processes and the value we bring to our organizations.
The goal of this report is to provide practical direction as to what internal audit functions can do to support their organizations and meet their internal audit charter responsibilities as they work through the impacts of COVID-19 — today and in the future. It draws from discussions and recommendations gleaned from many sources, including internal audit function leaders, consultants, and The IIA’s Audit Executive Center (AEC).
The contributors discuss howCOVID-19isimpactingthe operation of internal audit departments, the implications for Sarbanes- Oxley compliance, how the risk landscape has changed and where internal audit needs to step up, and what the future holds for internal audit.
IMPACT OF THE COVID-19 PANDEMIC ON INTERNAL AUDIT FUNCTIONS
Internal Audit Activities
It is clear that internal audit functions have been
inconsistently impacted by COVID-19. The
appears to vary by industry, geographic
and relevant government mandates, and perception of value provided by the functions. Some internal audit departments have been furloughed for the duration, while others have updated their risk assessment and risk-based audit plan based on the current environment.
Many are focused on the new or updated processes with higher risk profiles such as cybersecurity, identity access management, and remote working arrangements. On April 9, 2020, Audit Board hosted a webinar titled Coronavirus and Internal Audit: Preparing for the New Normal in 2020 and Beyond. The 2,500+ participants were asked to identify which of the responsibilities taken on by internal audit functions have had the most significant impact on their organizations. Their responses were not surprising.
u Updating their risk assessment (45%).
u Carrying out audit projects (39%).
u Creating awareness of key controls (31%).
u Performing research and benchmarking (16%).
u Re-performing essential first- and second-line u tasks and processes (16%)
Agility Amid Crisis
Increasing the frequency of the risk assessment is important to reprioritize the organization’s top risks during times of crisis. By identifying and prioritizing the emerging risks related to the pandemic that threaten the business’s top strategies, audit leaders can help executive leadership develop appropriate mitigation strategies to ensure business objectives will continue to be met. Key risks to be assessed during this time are impact to revenues, employee safety and well-being, supply chain, and cybersecurity. Updating the riskassessment is especially useful as this process can highlight the impact of similar risks if the pandemic dissipates before a second wave returns in the next four to six months. Anecdotally, some functions have stepped into roles where their process and risk knowledge allow them to be very impactful and where their independence is a future consideration. For example, because of their process, risk, and control knowledge, some internal auditors have moved temporarily into first- and second-line positions processing and reviewing transactions.
Others are assisting with the completion or review of applications for funding opportunities from federal and state government programs. Some internal audit departments are analyzing the processes that are most affected by the changes required by the COVID- 19 environment and identifying the necessary changes in the key controls to minimize the risk to financial reporting, transaction processing, technology operations, and compliance.
Internal Audit Adjusting Audit Plan Due to COVID- 19
A recent quick poll by the AEC confirms the anecdotal evidence. Nearly four in 10 poll respondents added new engagements because of COVID-19, and a similar percentage redirected staff to put aside their normal audit work to assist their organizations in this time of crisis by doing non-audit work.
The poll of North American chief audit executives (CAEs) and senior audit leaders, conducted April 9 – 13, drew more than 400 responses.
The data reflect that internal audit’s skills and flexibility are particularly valuable in times of crisis. Internal Audit Foundation Trustee, IIA President and CEO, Richard Chambers’ blog post on the poll results addressed that value.
“Overall, the quick poll paints a positive picture about internal audit’s role in response to this crisis. I believe that shows stakeholders are welcoming the input from internal audit and are looking for new ways to leverage the skills and insights it offers,” Chambers wrote.
THE CHANGING RISK LANDSCAPE
Most Impactful Risks
COVID-19 is having a profound impact on most industries and geographic locations around the world. When asked which risk will have the most significant impact on their organizations now and in the next two to four months, webinar participants responded as follows:
u Revenue (61%).
u Human resources (34%).
u Supply chain (28%).
u Another pandemic (13%)
These results are not surprising – we would expect these areas to have the most visible impacts. Revenue risk may include revenue recognition, collections and liquidity, delay in the launch of new products, and changes to the costs of manufacturing, if retooling and other employee protection processes are necessary. The impact on the human capital that our organizations rely on is yet to be fully determined. Attention has been focused on the short-term perspectives of employee well-being and safety, but the long-term impacts are not yet known, as this type of situation has not occurred in at least a generation.
In the long term, we may see organizations adjusting their workforce planning – determining who works (FTE vs. contractor) where and how they work. Supply chain risk has been very impactful as we have moved to just-in-time processing over the last 20 years, and the ripple effect of China being the initial point of infection resulted in disruption ahead of COVID-19 appearing in most other locations.
Underrepresented Risks Highlighted Amid Pandemic
As time goes by, it is likely that the results of the pandemic will also highlight other areas of risk. The IIA’s 2020 North American Pulse of Internal Audit report, Bridging Critical Gaps, provided an annual snapshot of the internal audit profession. Completed pre-COVID-19, the report identified the following risks recognized by internal audit leaders, executive management, and boards as being among the top concerns for organizations but under represented in the annual internal audit plans:
Ÿ Cybersecurity.“Morethanthree-quartersofPulse respondents said that cybersecurity is a high or very high risk. Yet, the number of functions that report no audit plan resources related to this risk remains surprisingly high. Nearly one-third of respondents report they devote no portion of the audit plan to this ubiquitous and dynamic risk.” This is critical as organizations have moved to a remote workforce and operational work streams in response to COVID-19, placing reliance on processes and controls over cyber risks that may not be adequately assessed.
Ÿ Information technology. “For information technology defined as the use of technology for communications and information gathering and storage – size largely dictates audit plan coverage. Overall, 69% of Pulse survey respondents report they include IT in their audit plans.” During March 19–23, 2020, the AEC conducted a survey of CAEs and internal audit directors in North America. Of the 170 responses, 59% said their organizations added new technology and data security in response to changes in their working arrangements. Again, as organizations have shifted to rely even more heavily on technology capabilities, processes, and controls, it is clear for about 30% of the organizations surveyed that internal audit has not given assurance over the design and operating effectiveness of the implementation of this technology and its operation.
Ÿ Third-partyrelationships. “Lessthanhalf(48%) of respondents say their functions devote any portion of the audit plan to third-party relationships. This finding should raise concern because most organizations rely to some extent on third-party providers in key risk areas.” This reliance has not decreased in the current pandemic environment.
However, a significant number of organizations have not reviewed the governance of or design and operating effectiveness of the controls over third- party relationships.
Clearly, the pandemic increases the need for internal audit functions to provide assurance over these risks and others that have increased in the current environment.
The AEC poll noted increases in internal audit focus in all three areas. Respondents reported significant or slight increases in cybersecurity (43%) and IT (38%). Third-party relationships were not broken out in the poll, but the overall focus on enterprise risk management (ERM) increased by 42%.
NEXT STEPS FOR INTERNAL AUDIT
Our organizations are in a state of flux and will be for some time. There is a high likelihood that internal audit functions are also far from going back to business as usual. We should view this situation as an opportunity to improve our understanding of the risks our organizations are facing and may face in the future and update processes to incorporate these changes.
As operations begin to stabilize, it is important that organizations not lose sight of core activities as other priorities creep in.
The following is a suggested list of priorities for internal audit functions to consider as they respond to the current environment and plan ahead.
Business Continuity
1, Actively engage in the organization’s lessons learned postmortem.
2. Validate that the organization has completed sufficient end-of-crisis preparation to maximize revenue when operations return to normal. Ensure that where new processes are implemented, governance is in place.
3. Verify that business reliance processes and documentation are updated based on the lessons learned postmortem, if needed.
4. Leverage resources, including business benchmarks and internal audit networks, to understand key lessons learned and best practices from other audit leaders.
5.Consider what critical technologies should have been or should be in place in the future to help executive leadership efficiently create and execute effective response plans to future crises with a similar impact on business operations. Examples: remote-working capabilities for employees, cloud-based audit, risk, and compliance collaboration solutions.
Risk Management
1. Verify that our risk assessment process includes all risks that may have a significant impact on the organization in the next four to 12 months, even if the likelihood is low.
2. Assess the frequency, scope of people involved, and the type of reporting of the current risk management process, and adjust as necessary.
3. Leverage automation, as much as possible, to expedite key risk management processes, including risk solicitation, aggregation, assessment, and reporting. Consider cloud- based risk management solutions that allow audit, risk, and compliance functions to quickly assess new and emerging risks, easily visualize the data, and create real-time risk reports.
Internal Audit Operations
5.Consider what critical technologies should have been or should be in place in the future to help executive leadership efficiently create and execute effective response plans to future crises with a similar impact on business operations. Examples: remote-working capabilities for employees, cloud-based audit, risk, and compliance collaboration solutions.
Assess the internal audit resource plan and budget to understand if or how the pandemic will impact internal audit. Consider how organizational layoffs, furloughs, and budget cuts will affect audit commitments.
Reassess the internal audit plan to ensure audit resources are focused on process and risk areas most important to the business during COVID-19’s impact.
Reassess how internal audit engages with control owners and audit customers. Will communication and interaction practices in place before COVID-19 enable audit to carry out responsibilities effectively?
Are there opportunities to automate processes, such as document requests and the validation of remediated audit issues, with cloud-based, end-to-end audit workflow automation solution.
Consider the risk of audit Vs awareness projects. Is it possible that remote work can negatively impact control performance? If so, can internal audit help the organization by promoting the importance of governance, risk, and control responsibilities, and act as a resource for change management?
CONCLUSION
In the face of unprecedented rapid change in the external environment and in the operations of businesses resulting from the pandemic, internal audit functions are well positioned to lead their organizations through this time. Chambers noted as much in an earlier blog post that examined the complex and dynamic risk set created by COVID-19.
“I believe the pandemic is pulling back the curtain to show us a glimpse of the future. It has put on display the amazing speed of emerging risks; the global interconnectedness of business, industry, and society; and how we react to adversity as a global community. As practitioners in a profession that is risk-centric, we should glean as many lessons as possible from this trial.”
Embracing the changes that have occurred and helping manage downside risks are roles in which internal audit functions can excel.
