When normal processes are upended during the coronavirus challenge, internal audit teams need to keep a focus on identifying and managing critical controls.
The effects of the coronavirus (COVID-19) pandemic have been disruptive to organisations, individuals and Australia’s economy. And with management’s attention on the business’ COVID-19 response, internal audit, along with risk practitioners, have a responsibility to monitor key risks, support critical control operations and protect against vulnerabilities.
During times of crisis and uncertainty, where normal processes may be weakened or less transparent, the opportunity for those controls to be exploited is much greater – employees may access systems in different ways, delegations may change to cover absentees and workload changes, and oversight may be weakened with diverted responsibilities – all of these changes bring new risks and opportunities for fraud.
Many organisations don’t have an internal audit program of critical control monitoring. Even where such a program exists, the changing risk profile presented by COVID-19 requires them to be re-evaluated.
Internal audit teams need to mobilise quickly to identify critical controls, then perform a targeted and timely evaluation of their performance. As an example, the implementation of wide-spread work-from-home arrangements presents a potential segregation of duties issue, where organisations are used to physical proximity to enforce segregation. Manual workarounds implemented to ‘get things done’ may compromise integrity of the control framework where there is no effective oversight and monitoring.
Internal audit professionals can implement critical control monitoring by confirming new and existing key risk areas, identifying and agreeing on critical controls and implementing continuity procedures to ensure continued operation.
Internal audit functions should partner with their organisation’s risk function, to identify:
This analysis should be supported by outcomes from crisis management and business continuity teams, existing risk information and discussions with key management and executives.
For key risks identified, consider the extent to which controls currently exist, the impact of COVID-19 on the operation of those controls, and agree on which controls are critical during this disruption, and for ongoing monitoring.
Characteristics of a critical control, to assist in identification include:
It is important that internal audit teams also consider how those controls may have changed as a result of the recent disruption and whether those changes are both sustainable and effective. Consider the following:
Crucial to providing comfort over the continuity of critical control performance is mobilising quickly and performing regular checks, so any gaps in controls can be rectified in a timely manner.
Continuous and close controls monitoring, leveraging repeatable data analytics (where appropriate) and behaviour analysis should be implemented to quickly rectify any gaps.
Steps for Internal Audit practitioners to consider include:
Below are examples of common process and risk areas for consideration when identifying which critical controls should be closely monitored during COVID-19 environment.
If you have any questions regarding the content of this article and would like speak to someone from our team please contact us.