Covid-19: What the IT auditor can do to help

The purpose of this paper is to address the challenges that this uncertain environment poses to organisational control environments, as well as to present the redefined role of internal audit in the context of the information technology (IT) agenda in business.

IT management reacts daily to demands and unscheduled events within the company, which can increase the probability of risk. Examples of this include the following:

• IT departments deploy new collaboration tools immediately, potentially evading internal controls
• Unplanned changes are often implemented through a contingency change process to speed up their release
• Organisations look for systematic ways to implement manual controls that cannot be done remotely
• Employees may work in ways that could compromise data protection standards and regulations (e.g. printing sensitive data, forwarding company data to personal emails)
• Rules on procurement of software (e.g. SAAS solutions) and hardware (e.g. monitors, laptops, peripherals) may be relaxed
• IT teams are largely focused on providing system availability and supporting the new working environment, so control execution may become less of a priority
• Strategic projects are paused as IT teams focus on supporting the workforce and implementing telecommuting
• Small changes, such as replacing physical signatures with digital ones, create additional challenges and increase the risk of control failure
• Access permissions may need to be changed more frequently; as additional access may need to be granted temporarily to support unplanned processes

Although risks are not fundamentally new, they are manifesting themselves both in different ways and with increased speed, causing changes in the risk profile of the organisation:

• An increased risk due to the use of tools and technologies that are not aligned with the organisation's security standards
• Cyber risk is increased as cyber criminals may be more active during the time when internal control systems may be weakened
• Data loss and/or privacy risks may increase
• Controls may be bypassed or relaxed to allow for new ways of working
• Control execution may become less of a priority as IT teams focus on system availability and supporting the new working environment
• Fraud risk may increase and become more widespread as controls are relaxed
• Audit activities are de-prioritised, increasing operational and financial risks.

This rapidly changing environment poses a major challenge for internal audit. Key managers are busy supporting day-to-day business operations, which means less time is available to manage audit activities. Internal audit must continue to provide assurance during these uncertain times so that risks can be defined and controls remain effective. 

Internal audit should consider the following activities to remain effective and relevant during these times:

• Working with management on a daily basis to discuss and understand current priorities and actions.
• Be willing to consider less traditional activities for audit resources to support business operations and perform tasks normally undertaken by other services
• Provide practical IT management solutions for major changes and deviations from plans, and articulate ways to embed controls into new processes. Consider short-term, upstream and downstream evaluations of releases of significant changes
• Increase focus on high-risk areas, including areas of increased fraud and regulatory risk (payments, reliance on service providers, data protection, vendor management, privileged access)
• Deploy new ways of working, use collaboration tools, reduce turnaround times for documentation requests
• Analyse and understand how the organisation can maintain an effective security posture and what key changes are being made to the existing strategy
• Take an overview and reflective perspective. While many executives need to keep their focus on keeping the business running, internal auditors can take a step back and and look at the functioning of the organisation from an objective position
• Log all changes made to IT controls so that the current control environment under COVID-19 is assessed and understandable to internal and external stakeholders, making the transition back to business as usual as seamless as possible.

Like the business, internal audit needs to align its work with management while focusing on its role of providing independent and objective assurance to the audit committee and management. In many ways, internal audit can be more effective than ever in these times in supporting the business and demonstrating its role as a strategic function, a partner to management and critical to the operation of the business.

Some or all of the services described herein may not apply to KPMG audit clients and their subsidiaries or affiliates.