How should audit plans change when the entire organization is working from home?
Anunciacion There are two components to this: what's in the plan and how to execute the plan. First, the chief audit executive (CAE) will need to adjust the scope of the audit plan, which could mean an emergency meeting with the audit committee and executive management, or maybe a special session with the audit committee chair to reprioritize. What may have been important at the beginning of the year may not be critical today. The CAE should determine whether to remove, postpone, or even cancel engagements, and decide what can be accomplished given the timeframe and new realities of working from home. Second, how is internal audit going to complete the audits? If auditors can't visit a location, or if they can't do a walk-through in person, consider what technologies the organization has to assist with conducting the fieldwork. There are plenty of online meeting and collaborative tools that can help. If anything, this highlights the need for internal audit teams to be agile, and technology is a big part of that.
Struthers-Kennedy CAEs have been actively promoting their ability to be agile and responsive to a dynamic work environment. Recent events provide an opportunity for audit leaders to "walk the talk" with their teams. Leaders need to apply tools and techniques to facilitate strong communication and increase the monitoring of company activities in a new and remote environment. On the topic of tools, many audit functions had been making concerted efforts to advance analytics and technology-enabled auditing. The need to make increased use of tools and data has never been greater. Internal audit functions should look for every opportunity to apply analytics and other techniques to enterprise data sets to help them accomplish their own risk assurance objectives, as well as provide any necessary support to the broader business.
What key risks should internal audit functions be focused on during times of crisis?
Struthers-Kennedy Beyond the risk of degradation of the broad system of internal control driven by remote working and reduced workforces, two broad risk areas are notable on top of the recurring business risks to any company. The first area includes those looking to exploit the crisis through a fraud or data breach. Bad actors will look for any weakness in controls or oversight that may have been compromised in a time of crisis. In addition, well-meaning employees may now be working in ways that compromise privacy and data protection policies. The second area is in the rapid deployment of new processes and technologies, including changes made to existing technologies through emergency processes, to facilitate a remote workforce. A thorough — but appropriately rapid — assessment should be conducted to understand the potential exposures and related controls. On a broader and more sustained basis, audit functions must develop a more dynamic and responsive approach to risk assessment.
Anunciacion If internal audit has a risk-based audit plan, the approach doesn't necessarily change as the key risks addressed should still align with the organization's strategic objectives. The crisis may force internal audit teams to look at risk much more broadly, such as at an enterprise level — a level or two beyond process-level risk. CAEs also may need to add audits that address areas where there was not risk coverage on the original plan, especially for teams that spend the majority of time on U.S. Sarbanes-Oxley Act or internal control over financial reporting testing. Areas such as business continuity, supply chain, IT, cybersecurity, and operations come to mind.
How should internal auditors be thinking about independence and objectivity in a time of crisis?
Anunciacion Auditors are very well equipped to identify and assess risk and can help the company plan for any situation, but there's a line past design and operating effectiveness. Internal audit can't implement or make final decisions based on any recommendations; that is management's responsibility. Accordingly, CAEs might shift the plan from less compulsory or assurance type of audits to more advisory and consultative engagements. That type of perspective shows there are ways in which internal audit can maintain independence and objectivity while adding value to the organization.
Struthers-Kennedy In these extraordinary times, audit functions should work to provide the best support and partnership possible, delivering on the core mission to protect the enterprise from undue risk while also focusing on bringing extra capacity and capability, which may in some instances result in direct support for core and critical business operations. Internal audit's skills and talent can be helpful in assisting the organization to manage through the crisis, whether those talents are applied to risk assurance activities or, in certain cases, hands-on operational support. Where audit is being asked to provide operational support, this should be done with approval of executive management and the audit committee, including a discussion and plan for how any objectivity or independence conflicts that may be created will be addressed.
What types of training should internal auditors take advantage of when working from home?
Struthers-Kennedy The use of next generation tools, including those used for collaboration, automation, analysis of large and complex data sets, and methods such as agile and design thinking, are needed today. Auditors should take every opportunity to increase their knowledge and skills related to capabilities and features of platforms such as Microsoft Office 365 — which includes a wide ranges of features that are beneficial to remote work — collaboration tools, and data analytics and automation platforms and methods. There is no shortage of training material available online, much of which is high quality and free.
Anunciacion This is a great time for auditors to knock out items on their laundry list — things that they may not have had time for in the past. Internal audit can do a self-assessment on its current methodology. Perhaps the CAE has been meaning to implement a quality assurance and improvement program — it's the ideal time to do that. Internal auditors should consider taking an online course on data analytics or other technical areas, so that when we do come out from this, they've gained knowledge to broaden their horizons.
What can CAEs do during a pandemic to be better prepared when employees return to the office?
Anunciacion In the short term, it's all about focusing on team and employee morale. We don't always know what's going on in our staff's personal lives. CAEs should be sensitive to those unknowns. They may be experiencing a lack of childcare. Perhaps they have a friend or a relative who was diagnosed with the illness. They may be feeling some financial pressures. CAEs should be flexible in terms of demands and what they're looking for from their teams. Longer term, it's all about perspective. What concessions or modifications to the culture of the team will need to be made once they come back to the office? Is working from home going to be expected? How do CAEs incorporate what they've learned in preparation for future emergencies?
Struthers-Kennedy It can be hard to focus on anything but the challenges and stresses of a crisis, but within this situation — and perhaps even because of it — there is plenty of innovation occurring and opportunity being revealed. Rapid deployment of collaboration technologies, cross-functional and cross-border teams coming together and working through complex situations and decisions in rapid fashion, making better use of data and tools where people and other resources are not available, and working in highly agile and responsive ways are all good examples. Through these pursuits, CAEs are building resiliency into their own departments. The workplace we return to may well be very different; therefore, it's critical the office of tomorrow is shaped to reflect elements of our remote world today.
How will the COVID-19 experience influence remote working arrangements moving forward?
Struthers-Kennedy Concepts such as the "workplace of tomorrow," "NextGen auditing," and even "gig economy" have become commonplace in our vernacular in recent years, albeit with adoption still in early stages for many. The COVID-19 experience has brought them prominently into the spotlight, at the same time exposing those lacking the knowledge, skills, methods, or tools to adapt and deliver value in a fundamentally different environment. Moving forward, there is opportunity for every audit function to be the partner the business needs, and the time for NextGen internal auditing is now.
Anunciacion What is going to come out of this is a greater appreciation for the soft skills that are required to be a successful auditor. One can be a highly proficient accountant or an extremely technical IT auditor, but those soft skills of relationship building, communicating, and building trust and credibility — those are so much more difficult to do remotely. There are parts of the job where internal audit has to be in the office, because that's where the data and evidence resides. But after all this is over, some team members may want to continue working remotely. It's going to force internal audit teams to be creative in how they strike that balance, and soft skills are a component of that.