The global economy has been severely impacted by the COVID-19 pandemic, with a speed of onset that has taken the world by surprise. Hardly a short-term event, experts agree that businesses will continue to feel the negative impact of COVID-19 for some time. The imperative of "flattening the curve" to contain the spread of the virus has caused significant global disruption, with business volumes and revenue in decline and further contraction expected throughout 2020 and beyond. Organizations are already experiencing a loss of customers, liquidity crisis, supply chain disruption, and employee reductions and layoffs.
Organizations worldwide have taken swift, proactive measures in response to these challenges. Many, for example, have launched COVID-19 crisis management teams focused on addressing the immediate needs of customers and employees. Senior management teams are also undertaking exercises in stress testing of strategic, financial, and operational scenarios, and some forward-looking organizations have started planning for a post COVID-19 business resumption scenario. Given expected reductions in core revenue streams, executives are likely to focus on specific revenue loss-mitigation steps as well as scenario planning for high-impact events, such as the possibility of a second wave of COVID-19. Simultaneously, they will try to shore up profitability by sustaining as lean an operating cost structure as possible, with greater digital enablement and variable resourcing while enhancing resilience.
Workforce reductions through layoffs and furloughs are likely to have a material adverse impact on business processes, weakening internal control structures and rendering them potentially inadequate to fulfill business objectives and effectively mitigate risks. Reduced workforces operating remotely with minimal face-to-face contact for extended periods make organizations more vulnerable. In these circumstances, organizations will continue to witness a marked increase in fraud, financial crimes, and cybercrimes, with many scammers attempting to take advantage of a vulnerable population already stressed by the crisis.
These challenges call for an innovative internal audit response and present a unique opportunity to reimagine internal audit's role in the organizational value chain. We asked several internal audit leaders within financial institutions about their departments' practices since the crisis began. Several innovative approaches, including those shared by these leaders, can enhance value for the organization and help clients recognize the importance of internal audit during these trying times.
Engaging in Crisis Management Solutions
Audit committees and key stakeholders rely on internal audit to provide broad, as well as targeted, assurance and consulting support to weather upcoming challenges. Chief audit executives (CAEs) need to work collaboratively with the audit committee and C-Suite as they plan a series of possible mitigation actions in a thoughtful and deliberate, yet flexible manner based on the evolving situation. Audit executives we spoke to mentioned that their function is participating directly in their organization's COVID-19 crisis management committees and response teams. They have helped shape organizational responses, such as by helping to ensure crisis communications are delivered in an appropriate, transparent manner to customers, stakeholders, and society at large.
A key factor for stakeholders' decision-making is the speed of the risk escalation and the quality of the impact analysis. Therefore, internal audit's experience in risk identification and holistic assessment can help better evaluate the short-term and long-term implications of crisis decisions.
Audit executives also mentioned that COVID-19-related reviews have been added to the audit plan, including remote work activities, changes to frameworks to allow for client concessions, and commitments made to clients. These topical reviews are completed within very short time frames — some in a few days — to promptly inform of, and escalate, any issues.
Supporting Employees, Stakeholders, and Customers
The crisis presents many opportunities for the audit function to act as trusted advisors and help the organization maintain core functions, support customers, manage key risks, and remain resilient. One audit executive mentioned that internal audit's first area of focus was on the safety and well-being of audit employees, quickly implementing work-from-home practices, allowing flexible working arrangements to enable home-schooling, and supporting those who are self-isolating. Prioritizing client needs, many audit functions scaled back on traditional assurance work and relaxed timelines for audit issue remediation to create breathing room for business areas to serve their customers. Going beyond business as usual, others demonstrated flexibility and commitment to their stakeholders, helping to do pre-checks on the closing process for quarterly financial statements, pushing validation and other remediation efforts, and providing enhanced business monitoring. While important and time-sensitive audits continue to progress, the scope of these audits was also revisited to focus on top risks.
Certain parts of the organization are experiencing unprecedented levels of activity and resource challenges, such as IT functions that need to meet significant infrastructure requirements and massively scale remote work for digital enablement, customer service, and operational support. Resource pressures will only increase with a growing number of personnel on sick and emergency leaves — or on flexible work arrangements — and limited workforce mobility due to travel and immigration restrictions. Organizations will need support in recalibrating business plans and reforecasting demand, revenues, costs, and profitability in a post-pandemic world, assessing key risks and questioning and challenging assumptions. Temporarily lending expert resources to the business, with appropriate safeguards, will create and enhance the value of internal audit. Such activities may cause potential conflicts of interest in the future and need to be carefully addressed and appropriately managed.
Significant resource savings could be achieved from greater collaboration with the first and second lines of defense, external auditors, and regulators. Internal audit can facilitate the articulation of comprehensive risk assessments and coordinated actions to avoid coverage duplication.
Finding New Ways of Working
Internal audit will need to consider how the pandemic continues to impact work approaches, collaboration, and interactions with stakeholders. "COVID-19 has put a spotlight on the appropriateness of the remote work environment and the productivity that can be realized in a truly effective remote environment," said one CAE. "At the same time, it is highlighting how important in-person interactions are, and that certain benefits cannot be fully replicated no matter how robust the virtual environment."
Reflection on challenges and successes associated with remote workforces will help shape strategic initiatives, including maintaining a lean physical footprint and extending remote working arrangements long-term or even permanently. This new working model will require extensive use of automation tools and frequent touch points with audit teams, clients, and stakeholders. In this scenario, internal audit should assess the impact of remote working on audits of entities and business units that are in different locations, with limited ability to conduct face-to-face interactions, interviews, walkthroughs, etc. Increased reliance on cloud-based IT infrastructure seems inevitable in this remote, digital work environment. Already, the use of teleconferencing tools such as Zoom, WebEx, and Skype has proliferated, but these platforms may also introduce security risks. If data and records to be tested are not digitized or available electronically, internal auditors will need to consider if alternative verification procedures can be performed remotely given the lack of access to the physical documents or data. They also should examine whether this leads to a scope or coverage limitation and consequently a reduced degree of assurance.
Agile Planning and Delivery Models
The COVID-19 crisis has provided an opportunity to rethink internal audit planning processes. The traditional multiyear coverage model and long execution cycles will prove too rigid to respond in a volatile environment. Stakeholders will demand flexibility with respect to scope, coverage, delivery channels (i.e., memos, maturity assessments versus traditional reports, etc.), timing, and escalation methods. Implementing an agile approach in the audit planning and delivery model will help maintain focus on key priorities in rapidly changing conditions and allow for fast reprioritization of work. Agile discovery processes can help quickly assimilate evolving facts and emerging risks into audit planning considerations. Shorter, more collaborative audit engagements will facilitate quicker delivery of actionable insights, enabling rapid corrective actions. One CAE at a global organization has an agile audit approach throughout the audit lifecycle to provide the same level of assurance in less time. The CAE also highlighted "the impact of workforce disruptions on culture and compliance environment" as a key new risk facing the organization.
Audit functions will need to redefine their methodology, workflows, and processes to make them flexible and adaptive to higher impact scenarios. Consensus is emerging around some initial priority areas for internal audit attention in the post-pandemic environment, including:
One CAE mentioned implementing flash reports to provide quicker insights to management in response to stakeholder expectations and higher appetite for agility. Another CAE used innovative solutions for continuous auditing — promptly testing activities that monitor COVID-19-related processes for completeness, accuracy, and timeliness. Other CAEs said they introduced enhanced business monitoring processes to provide real-time feedback on risks.
Extensive use of data analytics — leveraging artificial intelligence, machine learning, and robotic process automation — will be key to support internal audit's agile approach. "Internal audit functions must have access to their organizations' data in order to function at the highest level, and a portion of the audit plan should be focused on ensuring the integrity of that data," said a former head of internal audit and compliance functions at a global consulting firm. "Continuous monitoring of data can drive conversations with management and the C-suite, if anomalies are found, fostering communication and stronger relationships."
Another CAE also highlighted the value of a more flexible, responsive approach: "The importance of internal audit has never been greater, and so we developed a process to more frequently report audit project status and escalate potential roadblocks or issues to the executive leadership team. We also conducted real-time health checks, prioritizing high-risk areas of the company, to provide timely assurance that processes are working as expected. These health checks consider trending risks — e.g., considering how work from home may impact the control environment."
The environment will present new trends in terms of business volumes, revenue, cost, and other financial and operational risk metrics. As a consequence, analytical procedures that rely on historical data comparisons and trend analysis based on budget or prior year numbers may be unreliable. Considerations for "minimum acceptable controls" in severely stressed control environments and business processes are being developed and monitored.
Some need-based, short-term innovations and improvements implemented by internal audit directly as a result of the crisis are likely to sustain and become the "new normal." Flexible, remote work arrangements with less face-to-face interaction will likely continue, and a much larger talent pool could potentially become available unencumbered by geographic "physical presence" limitations. Learning from the upheaval caused by COVID-19, audit teams will need to embed consideration of remotely possible, high-impact Black Swan events in their risk assessment processes. Specifically, at several global financial institutions, there is an increased focus on emerging risks, or external threats, such as climate change, which like the COVID-19 pandemic are continuously developing and hard to measure. Now more than ever, it is important to keep abreast of these risks and consider how to provide audit coverage for them.
Audit departments can help organizations hone their risk-sensing capabilities to better identify market signals, especially critical shifts in the business environment with risk impact. Audit executives say that stakeholders will continue to expect thought leadership and proactive engagement from internal audit to help the business remain safe yet commercial. Internal audit's support and partnership with other functions during the crisis could result in increased mutual appreciation for other's positions, greater empathy, reduced conflict, and enhanced cooperation. As one CAE put it, the situation presents "an opportunity to at least partially hit the reset button on aspects of the function that currently don't practically align with being a trusted advisor and partner."
Reshaping the Future
COVID-19 will continue to cause irreversible changes in many areas of society, including some that are yet unforeseen. While there are extraordinary challenges, there are also unprecedented opportunities for internal audit to support the organization and its clients, redefine ways of working, and enhance the influence and impact of audit with innovative methodologies and tools. Internal audit is uniquely positioned to anticipate these changes and to help shape future business vitality and health.
Numerous audit leaders shared their perspectives for this article, including Demi Agrotis, head of audit, Commercial Banking, Lloyds Banking Group; Nancy Haig, principal consultant, PIACLLC; Scott Kenney, chief audit executive, Moody's Investor Services; Eleonora Pechenik, Citi chief auditor, Spread Products and Markets Operations, Institutional Clients Group; Gavin Pickering, U.S. chief audit executive, Rabobank; and Patrick Simonnet, U.S. chief audit executive, Bank of China.