Remote auditing for internal auditors Remote auditing for internal auditors

Some organizations have been experimenting with remote auditing for years, while exploring new auditing techniques and optimizing the use of technology. Yet, few of them really implemented remote auditing. The current COVID-19 crisis however, forces us to abruptly adapt and adjust our traditional way of working.

The world we have known for years has changed drastically. Countries have taken draconic measures to tackle this invisible enemy, going as far as closing their borders and asking citizens to stay home. These current conditions have impacted our societies, resulted in an economic setback felt all around the world and have forced us to rethink the status quo. Many organizations have put their audit work on hold. Yet, given the adjusted risk landscape and changes in procedures, it is imperative that internal audit resumes their tasks as soon as possible. Given the travel restrictions and citizens being obliged to work from home, remote auditing is not an option anymore. It has become a necessity!

At KPMG, we continued to perform audits even during the lockdown measures by doing them in a remote way. It requires some adjustments to your audit approach but has been proven to work. The purpose of this article is to share some insights we hope will help you to adapt your internal audit process to cope with the different challenges of remote auditing.

First and foremost, your annual internal audit planning should be reviewed in light of the current circumstances. There might be an increased need for consulting activities e.g. related to BCM or crisis management. The COVID-19 outbreak has shaken up entire business operations, processes have been adjusted to this new situation and new risks have entered the risk landscape of organizations. Therefore, it is essential that internal audit takes up a proactive role by challenging the business and giving insights in relation to new risks but also challenging changed or back-up processes, changes in the internal control environment, etc.

The best way to refresh your audit focus is to perform a Rapid Risk Assessment by keeping these main questions in mind when approaching different levels within your organization:

Consult our recent publication 19 COVID-19 risks as a guideline to help you assess the current changed risk landscape of your organization.

In every traditional audit, the remote auditor has to take into account some practicalities: who are my key stakeholders, what information is already available, etc. Moreover, when it comes to preparing for remote audits, there are a few additional points to consider:

• Check availability of auditees: Check availability of your key stakeholders. How will we cope with differences in time zones, if any? Which impact does the new situation have on their work schedule and availability?
• Use of tools: Which channels will you use for interaction? Even with remote audits it is important not to forget the visual aspect of a meeting. Therefore, it is really important to thoroughly investigate the different  tools  available,  such  as  video  teleconferencing,  to  enhance the communication with your auditees. Besides this, it is also important to look into a secure and user- friendly solution for document sharing. For the tools that will be used, it’s important to ensure that they are in line with the required security and confidentiality guidelines (confirm with the security department) and that they are easily accessible to all auditees. It might be good to anticipate any issues by testing beforehand.
• Planning of the audit: As a baseline, we would recommend keeping the duration of remote audits concise by well scoping your audit on key risks. It’s better to split the audit into two separate audits and to spread them over the year; as a remote audit might require more investment from your auditees. In contrast to on-site audits, the effects of technical issues (e.g. connectivity, sound quality, etc.) could have a larger impact and may require more time to resolve.
• Clarify the new process: An important matter to consider is the kick-off meeting with all stakeholders where the scope and planning of the audit are discussed. The remote audit approach should be clearly explained to the participants, as well as the differences with face-to-face audits. How and when will the information be shared in the future? Which medium will be used? Are there elements to consider related to confidentiality or authorizations? These are some of the questions you should be addressing.

The execution phases of a remote audit is quite similar to that of a traditional audit. With the main differences being that video conferencing will replace the interviews and documentation needs to be transferred to you through a document sharing platform. This requires some adjustments from the auditors and the auditees. Keeping some of the below points in mind will facilitate the audit execution process:

Video conferencing tools: Video conferencing tools such as Skype for business, Zoom, Teams or Cisco WebEx will replace face-to-face interviews. When selecting your tool make sure that access to as well as data transferred through these tools is sufficiently secured. When selecting a suitable tool and planning video meetings it is important to factor in the following guidelines:

• Try to avoid long and intensive video conferences as they can be more tiring than on-site ones. Try to split them into several sessions around different topics.
• Try to keep the number of simultaneous participants to a minimum and mute those that are not speaking.
• Try to anticipate the effects of technical issues (e.g. connectivity, sound quality, etc.) by testing beforehand.
• Make sure you are familiar with the functionalities of the tool and can guide people who are having difficulties with, for example, their camera or sharing their screens or documents, etc.
• Not everyone is comfortable talking through video, so try to create a relaxed atmosphere and set the right tone.
• Investigate the possibility of recording video sessions, to facilitate your notes taking. If the interview will be recorded, make sure to get the consent of the participants beforehand and consider data security and privacy issues.
• Last but not least, especially in these times, interaction and attention to personal circumstances is of great importance. Being understanding and empathetic can go a long way.

Document sharing platform: Digital files could be uploaded on a shared platform or the remote auditor could receive temporary access to the databases of the audited firm. It is however crucial that sufficient attention is paid to the following points:

• Accessibility and security of the platform as well as confidentiality of the information provided. Make sure access is sufficiently restricted and secured by encrypting the data that is sent across the network (in transit), preferably end-to-end; enforce multi-factor authentication and make sure that information is removed in a timely manner from the platform and stored according to applicable archiving standards and data protection requirements.
• Any restrictions that might be in place on data accessibility and transfer between countries.
• While a remote audit requires digital documentation, it is possible that auditees maintain paper records. The digitalization of these records can be time consuming. Which is why the burden for auditees should be minimized by being flexible and providing alternative solutions for information sharing.

Other sources of information: Where needed, the use of additional tools and sources of information can be considered. An auditee can for example walk you through the warehouse using the video on their mobile phone. You could also make use of security cameras in the building. In the exceptional cases where physical presence remains necessary and no other options are available, the use of local resources (internal or external) can be considered.

Alignment with the auditee: While working remotely, it is even more important to keep in close contact with the auditee to remain aligned. Schedule recurring short meetings (e.g. daily or once every other day) to discuss the status of the audit but also to capture any worries or concerns.

Communication is crucial throughout every audit. Especially with remote audits, audit teams should be clear and consistent in their communication. For remote audits, reporting protocols might need to be revisited with regard to their frequency and the way in which audit teams report to the auditee as sufficient interaction is crucial. Internal audits should certainly pay attention to the following points:

• Focus on key risks: As businesses are already distressed, focus should be put on key risks rather than overloading them with lower risk findings. Additionally, the internal audit team should acknowledge that management has potentially limited capacity to remediate these issues on short notice.
• Validation of findings: Each observation needs to be discussed and validated with the auditees before finalizing the report. This is important because the use of video conferences may lead to misunderstandings between participants. Any feedback received should be incorporated in the report, and previously identified risks and opportunities should be updated accordingly.
• Documentation of new process: It is also important to capture the extent to which different tools were used during the remote audit and whether they were effective or not in achieving the audit objectives. If for any reason, some processes could not be audited remotely, this should be mentioned too.

Once the audit is concluded, practitioners should debrief on the remote audit procedure to assess its effectiveness and to identify opportunities for improvement.

While for many organizations measures such as these are implemented on a temporary basis, it is very likely that (some of) these new ways of working are here to stay.

It is therefore important to set-up the remote audit process (as well as the related tools) as thoroughly as possible with long term success in mind, thinking not only in terms of weeks or months, but also years. It might be worthwhile investing in new technology to better support this process.

Let’s use this crisis as an opportunity to increase our agility and become more resilient for the future!