Crisis situations create new needs, solutions, and risks. To perform well during the current pandemic, businesses continue to introduce new systems and delivery models that may bring unintended risks, including the risk of fraud. These rapid changes to the internal control environment run the gamut from changes to regulations, to governance, to business models, to staffing needs. For some organizations, these changes may create new or intensified material risks.
The audit committee, board, and management tasked with corporate governance are responsible for identifying and assessing new risks that might arise from significant system changes. With their insight into audit clients’ internal controls, internal auditors are positioned to provide assurance on their continued effectiveness.
Regulatory changes enacted during the pandemic have resulted in operational interruptions, trade restrictions, data privacy issues, corporate disclosures, and prosecutions. For example, governments around the world have enacted liquidity support schemes and other regulations addressing financial institutions’ preparedness to address the operational, financial, and other risks associated with the COVID-19 crisis. Regulators also have issued alerts and guidance for consumers.
In the backdrop of financial and operational challenges, these changes might affect implementation and oversight of organizational policies and procedures meant to ensure regulatory compliance. Consequently, some organizations might fail to comply with legal or regulatory requirements, which may create significant opportunities for committing fraud.
Internal auditors should assess the risks presented by regulatory changes. The best way to get a good understanding of the changes is to participate in regulatory impact assessments and follow-up reviews. These exercises also give internal audit an opportunity to understand the potential long-term challenges the organization faces and factor them into audit planning.
A critical impact of the crisis may be that regulators and stakeholders will expect boards to evaluate the impact of pandemic-specific lessons and experiences through innovative governance models. Considering the exacerbated uncertainties and volatility, boards may approve unprecedented levels of investment to ensure business continuity. In a time when the organization must make difficult decisions about its liquidity, dividend payments may raise government scrutiny, reputational risk, and opportunity costs. Such payments also may expose the organization to unintended system changes and challenges.
Transparency in governance is of heightened importance during this crisis. Internal auditors should actively seek timely information on key governance matters to effectively carry out their responsibilities.
Changing Business Models
Organizations are using artificial intelligence tools to evaluate scenarios and adopting agile business models aimed at reducing costs and accessing new markets. Additionally, 78% of nearly 700 respondents to PwC’s August 2020 global CEO Panel survey say “remote collaboration and automation are here to stay.” Such innovations may bring significant changes in the roles and relationships of management, staff, suppliers, and stakeholders, and how those roles may be assigned, combined, or separated. In turn, these changes may involve accountability, sustainability, and scalability risks.
Outsourcing and dependence on vulnerable third-party services in supply and distribution networks have increased significantly throughout the pandemic, requiring additional oversight. To the extent that an organization relies on third parties as part of its control environment, business disruptions related to those partners can become a key risk to address.
During the pandemic, there is a risk that businesses will continue to use the performance measures they used before the pandemic. These measures may not be aligned with emerging risks and changes in their internal controls. For example, the pre-pandemic measures may not have prioritized cyber risks, but now remote work arrangements, technology, and workforce reductions may heighten this risk.
Internal auditors should ask key questions, such as what fundamental changes have taken place to the business models during the pandemic? Are these critical, and if so, what are their potential short- and long-term impacts? With this understanding, auditors can help management visualize what its business environment will look like after the pandemic and start working toward a robust business model.
Bankruptcies mar the business environment. One-fourth of U.S. companies are at severely high risk of bankruptcy because of the pandemic, according to Creditsafe’s COVID-19 Impact Score research, conducted in May 2020. Internal auditors must thoroughly understand the pandemic’s influence on internal controls and work through careful engagement planning, sampling, testing, and documenting the evidence gathered.
Changing Staff Competency Needs
Despite the pandemic, there has been a considerable increase in recruitment in certain sectors such as health care, pharmaceuticals, food, and consumer goods. It is expected that competencies most in demand will be a combination of traditional skills and proficiencies around continually emerging risks such as cybersecurity, health and safety, data analytics, and fraud management. Ideally, people hired will bring new skills that match the new model, but that may not happen if organizations are in a rush to fill key positions to implement a new business model. For example, a November 2020 KPMG report advises that e-commerce companies that are recruiting executives for growing business functions should be cautious of candidates who may lie about their qualifications or past experience.
Internal auditors should look for the significant changes in their organization’s recruitment policies and procedures during the pandemic. They should be concerned about the adequacy of the procedures followed for job descriptions and skill matching, as well as the digital tools used for interviewing candidates.
Heightened Fraud Risks
The pandemic has upended normal processes and activities, which may leave businesses more susceptible to fraud. During the 2008 recession, most anti-fraud professionals reported an increase in fraud, and 80% said fraud was more likely in times of economic distress, according to an Association of Certified Fraud Examiners survey, Occupational Fraud: A Study of the Impact of an Economic Recession.
Shifting to mass remote working, security vulnerabilities in home office networks, and elevated monetary strain provide perfect settings for fraudsters. An Interpol assessment of the impact of COVID-19 on cybercrime shows a significant target shift from individuals and small businesses to large companies, governments, and critical infrastructure, which it expects will escalate.
Management and internal auditors should remain vigilant of the potential fraud vulnerabilities during the pandemic, including:
- New business models that may not be compliant with fighting fraud risks, and lack of key performance indicators to monitor the triggering events.
- Restricted third parties that have been sanctioned or barred by the government, which the business may have hired because of inadequate vetting of their credentials.
- Accounting malpractices to remain in business in response to long-term restrictions due to the lockdowns.
- Key changes to the delegation of authority and inadequate oversight over these actions.
- Relaxation of segregation of duties and monetary limits in place for procurement.
- Partnerships in nations that may be at high risk of corruption and nepotism or have lengthy compliance mechanisms, which employees and governments may not be able to handle.
- Vulnerabilities in the wireless routers used by home-based workers that may expose the organization to cyber intrusion or attacks.
- Absence of oversight over new IT systems and their interfaces.
- Weaknesses in virtual recruitment procedures.
- Employees who perform duties outside of their skill set, particularly related to fraud.
- Employees suffering from financial stress and pressure to meet performance targets, which may heighten incentives for committing fraud.
The key to assessing the impact of risks influenced by the pandemic is understanding the before and after statuses to identify the changes. However, revisiting the entire set of internal controls may strain internal audit’s resources. One practical solution is for internal audit to facilitate a remote, technology-enabled self-assessment that allows management to quickly assess how the controls may have changed.
That said, auditors may need to perform some new tests either to validate earlier results or to test control effectiveness to determine the extent of change. Depending on the magnitude of changes, this exercise could be undertaken either as a part of a planned engagement or as a separate engagement through a multipronged approach that includes:
- Identifying the key business areas impacted during the crisis.
- Evaluating the impacted areas for changes in governance, risk management, and internal controls — particularly those related to changes in the delegation of authority and reporting lines.
- Reviewing the adequacy of oversight procedures established over the impacted areas for enhanced monitoring.
- Assessing the magnitude of impact the changes have had to determine whether the business is operating as it was previously.
- Assessing the effectiveness of alternative controls established where historic controls are no longer effective.
- Assessing the adequacy of the tools used for forecasting and scenario planning to remain as a going concern.
- Documenting the results of the assessment and changes in processes and controls.
- Communicating changes in processes and controls to staff members who are responsible for them, senior management, and the board.
- Developing a schedule for undertaking disaster recovery tests and recording the lessons learned to assist the business in transition from crisis response to business resumption.
- Establishing a protocol for updating control descriptions and control effectiveness in the impacted areas at regular intervals until normalcy sets in and feedback is fed into the review mechanism.
- Developing a dashboard to provide a clear perspective of changes in the internal controls to facilitate creating an appropriate and actionable roadmap of risk mitigation strategies.
Internal Audit’s Balancing Act
Despite challenges in the fast-changing business operating environment, int-ernal auditors continue to provide quality services by effectively adapting their processes. In the early months of the pandemic, internal audit functions reported they expected their budgets to decrease, according to a June 2020 IIA survey, COVID-19: Longer Term Impact on Internal Audit. As the crisis has continued, though, most internal audit leaders surveyed say their budgets have remained the same or increased, reports the 2021 North American Pulse of Internal Audit (see “Audit’s Pulse Is Strong”). Only 17% cut their internal audit staff budget, and 26% decreased external staffing.
These findings may indicate that given the heightened control risks, internal auditors may be more relevant than ever. Balancing this act will test auditors’ own ability to perform well during the crisis. Through prioritization and realignment with stakeholders’ needs, auditors should be in a strong position to assist the organization in effectively navigating through the next normal.