Typically, the staff structure of an Internal Audit function has the following characteristics:
Long-lasting leadership team (i.e. more than 10 years of experience):
- Experienced group of auditors, including Chief Audit Executive (CAE), that ensures continuity
- Typically the group makes up 20-30% of the total IA staff.
- The team has perfected the operational IA execution, including planning, field work and completion as well as reporting.
- In certain cases, the IA leadership team can be slightly out of touch with the business, i.e. tackling emerging and key risks, using new technologies and having a more modern understanding regarding the role of IA.
- In the past cooperation or coordination with 2nd line of defense functions was limited.
- No enforcement of extended cross-departmental assurance and
- No active pursuit of consulting services.
Young, somewhat inexperienced staff (i.e. 0-3 years of overall work experience):
- Group of freshly graduated or young professionals with limited work experience.
- Usually hired as part of a talent-onboarding and internship program (high motivation and clear agenda to learn, acquire experience and travel the world).
- The group typically makes up 70-80% of the total IA staff.
- Because of their lack of experience, they miss a comprehensive understanding of the business strategy, embedded processes and routines (i.e. standard operating model), the corporate culture, designed and implemented governance and control frameworks, IT landscape, etc.
- This group of IA staff tends to have limited prospects of continuing their IA career (i.e. higher fluctuation rates and internal relocation to positions within the business).
Especially IA departments of multinationals that apply a more cycle-based planning approach, the work of an Internal Auditor generally includes a considerable amount of international travelling (i.e. >50%), recurring, similar types of audit missions and a comparable portfolio of audit findings. The work is mostly delegated to young staff with limited field work participation of the IA leadership team.
Having an Internal Audit function is considered an effective signaling and fraud-prevention instrument. It helps to make sure that the organization adheres to rules and upholds an effective corporate governance and control framework. However, this sort of audit focus delivers negligible added value to the business and provides limited assurance to the board regarding potential emerging key risks – especially in times of COVID-19.
Even if the cycle-based audit approach has been enhanced by adding new, risk-oriented topics and end-to-end process reviews, often the IA function finds it difficult to fully grasp the complexity and derive adequate findings and make recommendations that truly add value for the business. This is not so much a COVID-19/lockdown issue but has preoccupied IA functions for a long time now. The challenge is to obtain the right balance between providing assurance over governance and controls while simultaneously trying to make an impact with hands-on recommendations and best-practice comparisons with peers.
The IA Function is faced with even more pressing questions concerning its relevance and its “raison-d’être” with the new post-COVID-19 limitations inflicted on it from the outside (i.e. travel bans, reduced travel possibilities, economic downturns and recessions) and the inside (i.e. reduced staff availability, furloughs, home office, production slow-downs, decreasing sales, imposed cost-saving programs, unbalanced governance and control frameworks, etc.)
In particular, IA has to grapple with the following aspects and questions:
- Relevance: how much added value should or must an audit mission provide to qualify for execution in times like these?
- Impact: which audit mission on the strategic audit plan will impact the organization in times of continuing change and extreme economic uncertainty?
- Feasibility: how can audit missions be executed effectively and efficiently if on-site visits are no longer possible?
- Complexity: how should IA respond when applicable audit procedures are either limited (i.e. videoconference) or more sophisticated in the execution than in previous reviews (i.e. data analytics, process mining etc.)?
- Know-how: is the current staff structure (incl. skill sets and know-how) enough to address these challenges and provide satisfactory results?
All these questions result in structural challenges that an IA function is facing. Accordingly, in light of the assurance mandate the Internal Audit function provides, the Chief Audit Executives (CAE) should reassess how internal audit missions are organized and executed with the IA staff at hand.