The COVID-19 pandemic has impacted society and economies on a scale not experienced for several generations. As is the case with all aspects of an organisation, the uncertainty and change arising from the pandemic has fundamental implications for Internal Audit Functions and how they fulfil their mandate, not just in the short but also the long term.
The COVID-19 pandemic which has swept across the globe has had a disruptive impact on individuals, societies, organisations and economies. The full ramifications are not yet known and there remains a great deal of uncertainty about how and when societies will return to something approaching normality.
As organisations struggle to cope with disruptive effects, and adapt internally to support continued existence and operations, there are critical actions which Internal Audit functions must consider. In order to continue to fulfil its mandate, add value, protect stakeholders and avoid inhibiting the organisation in its efforts to adapt, Internal Audit functions must take appropriate actions in relation to their people, their activities and their processes.
First and foremost, heads of Internal Audit functions have a responsibility to ensure their teams, whether centrally located or geographically distributed, have the support they require. Several weeks into the pandemic, all team members should be aware of organisational protocols for protecting the welfare of employees and their families, and if not, these should be reiterated.
Heads of Internal Audit functions should provide leadership through clear and regular communication of the impacts on the organisation, the function itself and the future direction for both. They should also communicate regularly about new processes and ways of working required to adapt to the changing circumstances.
Team members have different challenges, tensions and ways of adapting based on their personal and professional circumstances. In this context, agility and flexibility is required to enable team members to fulfil their roles.
The annual Internal Audit Plan should be immediately reviewed and revised to identify audit areas which may no longer represent areas of high risk or relevance (such as discontinued projects and operations), replacing these with audits (and other advisory activities) of greater relevance in the current organisational context. The scale and ambition of the remaining plan may also have to be reconsidered in the context of capacity within the function and in the business during this challenging period. An ‘agile’ approach to maintaining the plan will enable Internal Audit to adapt quickly to evolving risks and changing priorities whilst ensuring management and audit committee buy-in.
The focus and balance of the Internal Audit plan may need to change for the duration of the pandemic’s impact, with a greater focus on providing advisory support to business functions going through change initiatives, and focusing assurance work on critical controls.
Internal Audit should add value to the organisations response to crisis and be a voice to ensure any changes to business processes, systems, third party relationships and customer support measures are performed through well governed and controlled processes.
Beyond the short term, organisations’ business models will change, some permanently, and these changes need to be factored into the development of the 2020 Internal Audit plan.
Whilst periods of mandated social distancing continue in Ireland, and many countries across the globe, governments are developing plans for the phased easing of restrictions. Organisations will likewise be planning how to restart activities and operations within the frameworks set by the Government. Internal Audit can also be a valuable voice in these considerations, providing a perspective on risks and their mitigation, and challenging assumptions. In playing these advisory roles Internal Audit must continue to ensure that it is not a decision maker and its independence does not become compromised.
Many aspects of the traditional paradigm for Internal Audit have been made largely redundant by the consequences of COVID-19. The current restrictions have forced Internal Audit functions to think and act differently in the execution of audits.
Most obviously, the social distancing and commercial restrictions have forced Internal Audit functions to execute interviews and testing remotely. By leveraging new technologies in video conferencing, cloud-based applications for collaborative working, and remote access infrastructure, audit work can be carried out as efficiently and effectively as before.
Key to the success of remote auditing are (i) enhanced advanced audit planning and dialogue with auditees with respect to their capacity and access to information required for the audit, (ii) agreeing and applying guidelines on good practice in video conferencing and virtual interviews, (iii) ensuring adequate security measures are in place with regard to video conferencing applications used and in relation to data access, transfer and storage.
As all auditing is currently being performed remotely (and will be in the short to medium term), the location of auditors becomes irrelevant. Consequently, Internal Audit functions with team members globally distributed may be able to better reconfigure audit teams to ensure the most suitable resources are assigned to each audit, irrespective of their location.
As the adoption of technology and digital tools accelerates, so shall the case for investing in electronic Internal Audit file management, workflow systems, data analytics and applied intelligence. Furthermore, Internal Audit functions should use this opportunity to introduce Continuous Auditing activities (‘CA’). CA will enable Internal Audit to automate ongoing monitoring of key risks and operation of key controls, whilst also freeing up Internal Audit’s time to focus on more complex risk areas and advisory activities.
The impact of COVID-19 has been both unprecedented and unpredictable for most organisations, and it would be unwise to consider it an unrepeatable one-off event. Organisations are taking steps to cope with the impact of the pandemic and will need to plan financial and operational resilience for future major disruptive events. Internal Audit should be providing its perspective, as a trusted advisor, to ensure these actions and plans are is sufficiently thorough and robust.
Internal Audit functions should also use this period as a launchpad for fundamental evolution of their operating model. In particular, Heads of Internal Audit should be developing their vision of the technology, data and human resources they will require for the future and start building them today.