COVID-19 presents a clear and compelling danger, not only for the health and well-being of the general population, but for organizations around the world. The pandemic has called upon internal audit functions to assess the impact this scourge has on the safety of their employees and clients, and it has required internal audit to apply more agile decision-making and real-time assurance — all while maintaining adherence to The IIA's International Standards for the Professional Practice of Internal Auditing.
While continuing to navigate this unprecedented situation, practitioners have numerous priorities to consider and risks to address. Although the challenges are many, several areas in particular require internal audit's attention and focus: business collaboration, audit planning agility, audit team capabilities, audit-specific risks, and communication.
In light of the current situation, it is important to reassess risks to refocus on what matters most. The pandemic requires internal auditors to think about how to add value. As longtime chief audit executive and audit blogger Norman Marks said in a blog post on COVID-19, it is a call to reach out to management by asking, "How can we help?" It is an opportunity to leverage our unique objectivity, perspective, and position within the organization to provide value-added, real-time, and insightful assurance.
This is in line with the vision of the internal audit function at Absa Group, a financial services firm based in Johannesburg. That vision is, "To be a forward-looking and leading-edge internal audit function that inspires our people and management to proactively advance the control environment in support of the Absa Group's growth strategy."
Internal audit has to increase its business monitoring activities to real-time or near real-time, enabling practitioners to monitor their business units effectively and appropriately and respond to changing risk profiles and audit needs.
The Impact of COVID-19 on Fraud Risk
Internal audit must monitor and measure the impact of COVID-19 on the organization and the potentially heightened fraud risk it may create. Addressing this risk should include using a mechanism to proactively monitor and coordinate fraud-related audit assurance activities. Potential threats can include cyberattacks, phishing and vishing attacks, banking fraud, unauthorized access to critical systems, insurance scams, and breaches through alternative communication channels (e.g., Zoom video conferencing).
Agile Audit Plan
Reprioritizing the audit plan through ongoing risk assessments is important to align audit priorities to the organization's immediate top risks. These are real-time changes to the audit plan in response to new risk information, and they entail making start/stop/freeze decisions to align the audit plan to meet the specific challenges presented by COVID-19. These adjustments must consider resource requirements and audits that can be performed remotely with minimal impact on the limited business operations. Internal audit must ensure there is adequate engagement with internal and external stakeholders, including regulators, to manage expectations.
Examples of important audit areas during this period include:
Businesses are looking for real-time assurance to get valuable insights on the growing number and magnitude of risks. Internal audit management must empower auditors to work closely with business on data-gathering and enhanced collaboration to facilitate the provision of real-time audit assurance. Internal audit must shift away from a linear execution of the audit scope to a more iterative process and ensure auditors are responsive to the evolving risk landscape.
Internal audit must remain flexible in the face of a rapidly evolving set of factors, as no one knows how long the pandemic will last and the true impact it will have on organizations, both locally and globally.
Audit Team Capabilities
Internal audit has to take measures to ensure the health and safety of its audit staff members, as well as their families and communities. These measures should enable internal audit to work around the audits that require travel or on-site observations. Use of flexible working arrangements empowers audit staff to work remotely while leveraging technology to perform walkthroughs. It also requires more collaboration between internal audit and business to efficiently plan, interact, and share substantive data.
Risks Within Internal Audit
Internal audit must apply the same standards of risk management to itself that it expects to see during a client audit. This entails maintaining a departmental risk register for the internal audit department that shows all risks internal audit is facing and the steps required to manage them. Internal audit, like any department in the organization, faces risks that it is supposed to identify, assess, mitigate, and monitor, similar to any risk management process.
These risks are elevated by new emerging risks, such as the impact of COVID-19. They may include the failure to cover key risks in an audit, inadequate risk assessments, improperly designed audit procedures, auditors who are not skilled in the area they are auditing, false/inaccurate assurance, and the credibility or reputation of the internal audit department.
Potential risks directly related to the impact of COVID-19 include:
- Auditors' restricted ability to travel to perform planned audits.
- Auditors or family members infected with COVID-19 and placed in self-quarantine, affecting audit plan execution.
- Auditors working from home but having challenges with network connectivity or limited access to the internet.
- Organizations scaling down resources and thus unable to assist auditors with requested audit information.
Communication Is Key
Ongoing and consistent messaging from internal audit management is essential to keeping audit staff engaged and abreast of the function's initiatives, as it may impact their lives. It is equally important to keep stakeholders up to date on internal audit activities, including where an audit needs to be deferred or timelines revised.
If in doubt, auditors should always err on the side of over-communicating, as it will help ensure that everyone is on the same page. Or, as expressed by novelist Alex Irvine: "Over-communicate. It's better to tell someone something they already know than to not tell them something they needed to hear."
A version of this article first appeared on IIA–South Africa's website. Reproduced with permission.