As the coronavirus (COVID-19) pandemic has changed the world, internal audit functions have needed to face that world differently. Before the outbreak, internal auditors worked in similar ways, following the same code of conduct, adhering to the same standards, and using many of the same tools. Now, auditors have another thing in common: the need to adapt to frequently changing risk conditions.
COVID-19 has fundamentally changed the risk profiles of many organizations. As internal audit ramps up to a "new normal," it must recalibrate its audit plan from a dramatically different risk perspective.
An Audit Plan in Peril
Let's examine the timeline of events. Many internal audit functions started their risk assessment and audit planning process in late 2019. By early 2020, departments in most of the world had formed at least a skeleton of their audit plan, and some had communicated their formal plans to the audit committee and senior management. Some audit functions began executing engagements in early 2020.
That all changed in March, when the coronavirus began to race swiftly around the world and businesses experienced the first effects of social-distancing measures. Operationally, many organizations altered their business practices. From a compliance perspective, some regulatory requirements were suspended or relaxed for entire industries during the outbreak.
As these response measures quickly escalated, many audit functions drastically altered their audit plans. Businesses experienced so much disruption that it was nearly impossible to execute some audit engagements, or there simply was no value in doing so. Most respondents to an April 2020 IIA Quick Poll say they discontinued or reduced scope for some audit engagements, and nearly half canceled some engagements in response to COVID-19.
Four in 10 respondents indicate they redirected audit staff to nonaudit work. For some audit functions, temporary staff furloughs or budget reductions ended audit work or reduced staff activity to administrative duties.
The audit plan that existed before the pandemic is based on an old risk paradigm. In a post-pandemic world, chief audit executives (CAEs) must think differently about their organizations' risks and how to redeploy audit resources. Here are some questions CAEs should ask in rethinking their audit plans.
What does the organization's new normal look like? Even businesses that were least impacted by COVID-19 will have systemic changes in their risk environment (see "Questions for CAEs" at the end of this article). There may be major fallout to institutions and systems that organizations rely on, and regulators, financial institutions, and supply chains may experience disruptions well past the point when stay-at-home orders are relaxed. Some may no longer exist.
Is my risk assessment process agile enough? This question will be critical as CAEs begin prioritizing how to redeploy resources to address elevated risk in legacy risk areas as well as in new, uncharted territory. Risk assessments need to be agile because risk dynamics may change frequently in the near term. CAEs should evaluate and streamline legacy risk assessment processes.
Does my team still possess the skills to execute the risk assessment and audit plan? In the post-pandemic world, risk profiles probably will change — in some organizations, dramatically. CAEs need to evaluate the talent in their teams and internal audit's ability to identify risks and execute engagements that focus on new types of risk. They need to address questions such as:
Does my team still have an objective mindset? Unprecedented times call for unprecedented measures, and during the COVID-19 emergency, many internal auditors have been called to duty in ways they never imagined. If auditors were engaged in nonaudit activities within the business or performing activities that normally would be incompatible with professional standards, CAEs should evaluate staff objectivity.
A New World of Risk
The world is different now, with different risks. Internal audit functions must recalibrate how they view the inherent risks their organizations face as the recovery period begins.
Although pivoting from the old world to a new one is not a new phenomenon, the magnitude of COVID-19 impacts is more global and more severe than anything most auditors have experienced. Internal audit's ability to respond is vital not only to how its business recovers, but also how audit realigns with its stakeholders' needs.
|Questions for CAEs|
To assess their situation during the COVID-19 crisis, CAEs should ask:
- What does organizational staffing look like now? Have there been reductions or reorganizations?
- Have key stakeholders changed? What new audit clients should I anticipate?
- Have workforce reductions or reorganizations impacted how internal controls are executed? Are there new segregation of duties concerns or controls that no longer have control owners?
- What processes have been temporarily or permanently changed?
- What systems were temporarily modified or permanently changed? Were appropriate IT general controls followed for these changes, and, if not, what are the implications?
- What controls were modified to accommodate unique business situations or risks?
- Have there been any key personnel changes such as loss of unique subject-matter expertise or loss of key leaders in strategic areas?
- Has the organization's strategic focus changed in the near or long term?
- How have cost structures changed?
- Have there been fundamental changes in the organization's debt and capital structures? Are there new or different debt covenants?
- What new legal or compliance challenges is the organization facing (lawsuit exposures, changes to compliance infrastructure)?
- Have new business opportunities emerged and have corresponding risks been identified?
- Have the fundamentals of business-unit operations or strategies changed?
- How have business continuity dynamics changed (key infrastructure changes, key customer changes)?
- How have enterprise risk management dynamics changed (key risks, key risk indicators, response plans, and risk appetite)?
- How have U.S. Sarbanes-Oxley Act of 2002 dynamics changed, including changes with external auditors, regulatory dynamics, and control owners?