Consequences from the COVID-19 pandemic pose an unprecedented risk to the world economy. The severity of the pandemic's impact has left businesses facing difficulties in meeting their financial reporting timelines and audit practitioners confronting scope limitations or complex auditing and accounting issues.
As trusted partners of the business, internal auditors have proactively risen to the challenge to support their clients through a multipronged strategy that includes:
- Providing insights by reviewing the changing risk landscape and its short- and long-term impacts on business.
- Participating in clients' emergency response team meetings to deliver value from a risk-based perspective in a nondisruptive way.
- Prioritizing internal audit work plans and audit resources, and pausing or accelerating audits in progress.
- Planning and providing advisory or consultancy services considering the changing risk landscape.
- Assessing audit skills and diverting short-term surplus capacity to assist clients in their emergency response.
Even before lockdown restrictions began to ease around the world, business managers began planning for the new normal. This has necessitated evaluating and learning from their handling of the crisis before addressing future preparedness strategies for possible pandemics. Audit practitioners are playing a key role in this process through assessing not only their clients' pandemic readiness, but also their own — providing greater value to its clients.
While internal audit leadership plans for the next normal, there are seven lessons it should consider when modeling its work.
1. Impact Assessment
Finding the best approach to handle future crises requires the willingness and ability to quickly learn from past successes and failures and put them into action. As the pandemic continues to play out, practitioners should quickly seek out and document feedback from business management, audit committees, and other key stakeholders through surveys and interviews. Results of such analysis provide valuable input for future risk analysis and work planning. Next, review the adequacy of pandemic response through testing the effectiveness of business continuity plans and some critical procedures the organization followed when the pandemic first began.
More than half of respondents in a 2019 ContinuityCentral survey say that the biggest challenge to their business continuity plans is lack of budget and resources. Put differently, when times are good, the need to plan for future crises fades away. Practitioners should pay attention to potential pandemic-specific risks related to third-party relationships, supply chain, cybersecurity, fraud vulnerabilities, the ability to execute remotely, and, most importantly, establishing and communicating a business continuity plan. While it is not always possible to anticipate the factors that may lead to a crisis, the review should seek to answer whether the entity is able to reprioritize business objectives and address risks.
2. Business Continuity
COVID-19 has demonstrated the relevance and worth of having a robust enterprisewide risk management system. Key questions to ask are: 1) Is the entity's risk management approach sufficiently comprehensive and robust enough to handle a crisis? and 2) Does the entity have the capability to seize potential opportunities that present themselves through innovative business models? For example, when the coronavirus outbreak first occurred, consumers shifted to a stay-at-home economy, ordering groceries online for delivery. To get their share of the online grocery market, grocery chains that didn't offer home delivery invested in their own delivery services or partnered with third parties to compete. In China alone, research shows the online grocery market is expected to grow by 62.9% in 2020 vs. 29.2% in 2019, according to iiMedia Research.
COVID-19 also has highlighted a systemic weakness in that internal audit was not leveraged timely when the pandemic hit. A March Quick Poll by The IIA's Audit Executive Center provides a mixed picture of internal audit's role in the crisis. While most chief audit executives (CAEs) reported that they were involved in their organizations' response to the coronavirus at the time of the survey, 37% said they should have been brought in sooner to discuss the risks and potential responses. Only 43% felt they were involved timely. These numbers should prompt audit practitioners to assess whether their clients' business continuity plans had a spot for audit to partner with management. Pandemic experience should also give CAEs an opportunity to invest time in establishing their own business continuity plans, if they haven't already. Such plans should enable their audit teams to become conversant with remote audit techniques and the technologies used. More importantly, resources and mechanisms should exist for identifying and resolving the constraints in using such technologies.
3. Supply-chain Resilience
Nearly 75% of companies reported supply chain disruptions in some form due to COVID-19-related transportation restrictions, and the figure is expected to rise, according to a March survey conducted by the Institute for Supply Chain Management. People are already questioning the very foundations of the globalized economies that we live within today. Key questions to be considered in the post-pandemic period include:
- Is the supply chain model flexible enough to change if demand for certain products or services rapidly changes?
- Do standard contracts provide sufficient flexibility to maintain key business relationships in the middle of a crisis?
- If suppliers and business partners have their own contingency plans and have prepared for a pandemic, how well will they align with clients' contingency plans?
Above all, the plans should be resilient enough to enable clients to mobilize resources at speed and scale, move from globalization to regionalization, when required, and stop relying on a single overseas supplier.
4. Liquidity and Cash Flow
Social distancing restrictions will hit cash and working capital, including liquidity, during a pandemic. Practitioners need to review what scenario-based measures have been put in place to mitigate the risks of cash and margins becoming tight when there is a financial pressure point. How this will impact the liquidity and cash flow will be a key concern to review.
5. Human Resources Policies
Key questions to consider in this area include:
- Are human resources policies adequate and flexible to address employee concerns, particularly when dealing with the fallout of shifting business or suppliers to different jurisdictions during the pandemic, and its impact on the organizational structure?
- Do staff members have the resilience to adapt to the evolving risk environment through adopting remote working modalities?
Practitioners also should assess if there were policies for staff safety and hygiene and if staff had the skills to work in an environment with limited or no person-to-person contact considering potential social distancing restrictions. This is more relevant in cases where practitioners provide assurance within a school/university system, as the impact of this risk will be felt in the years to come.
Distance is much less of a consideration in today's business world — especially since the crisis. Experience shows that the pace of automation increased during each of the three recessions over the past 30 years. Pandemic situations lead to a surge in virtual interactions and digital transactions. Practitioners should assess the adequacy and effectiveness of resilience, staff skills, the potential to leverage technologies, and the mitigating actions in place to address the risks of cyberattacks during the pandemic.
One positive aspect of the current pandemic has been the opportunity to explore the potential and possibilities of remote work using available technologies. If sustained in the post-pandemic world, this trend will lead to a more environmentally friendly operating concept where audits could continue to be done remotely in a data-driven world.
7. Communication Strategy
Transparent, consistent, and reliable information, particularly from leadership, will help staff, customers, and investors make informed decisions throughout the crisis. Practitioners should assess the adequacy of clients' communication strategies for their comprehensiveness. Public sector auditors should pay attention to the plans, policies, and procedures in place to provide timely, accurate, and reliable information to the public. Pandemic experience also provides an opportunity for CAEs to establish or review their own strategies to proactively communicate with management and audit committees about the pandemic's impact on the business, changes in risk profiles, and results of reprioritization of internal audit work plans.
Toward the Next Normal
No one knows how long the crisis will last, but its impact may continue to shape the world's economy for months, or even years, to come. In looking at the quality of the organization's response to the pandemic, internal audit has an opportunity to reposition itself as a greater value provider, leveraging experiences gained through the crisis to help pave the path to the next normal.