All Hands on Deck

There is no question that corporate America is facing one of the biggest crises it has ever faced. Indeed, the nation is facing the biggest crisis since 9/11 and possibly since World War II. Nothing has been as disruptive; shuttering stores, restaurants, hotels, and offices across the nation. The coronavirus pandemic is grounding flights and closing borders for weeks, possibly months. In the early days, some were concerned that we were over-reacting as a nation, but hardly anyone is saying that now.

The stock market is down more than 30 percent and a recession is a near certainty, based on the forced disruption to demand on so much of the national economy. No one knows how long it will take until business are re-opening and people are returning to work. And how well it bounces back after the coronavirus crisis has passed is anyone’s guess, but it’s hard to imaging that there will not be long-lasting effects on wide swaths of the economy.

So the question—at least in this little circle of the professional world—is: What can internal auditors do to help their organizations manage through the crisis, and, perhaps for some … to help their organizations survive?

Whatever it Takes
The answer may be different, depending on your unique set of circumstances and the industry you are in, but for most it will be, “whatever it takes.” In other words, it’s “All Hands on Deck” time and you should be launching into action. Man your home-office battle stations and get after it.

“Carrying on as normal is unacceptable. What was identified as the top risk when you did your audit planning and risk assessment—what you are auditing as your read this—is almost certainly not the top risk today.”

—Norman Marks, author of Auditing That Matters

Indeed, internal auditors are uniquely situated to play an important role in our organizations’ response to the coronavirus crisis. They have relationships with senior managers throughout the organization, are used to providing clear-headed thinking on remaking processes and recasting policies and procedures, and have a great understanding of the underpinnings of the business and the relationship between risk and control. They may even be able to leverage their relationships with board members to sit on task force teams or to help direct the crisis response.

The longer answer to what should internal auditors be doing might not even be directly related to their roles in audit and assurance. Everything has changed from where it was even a week or so ago. The economy is shutting down and we are in crisis mode. Internal audit leaders should be receiving their marching orders from the CEO and undertaking actions that leverage their unique skills. If they are not, they should be reaching out and asking: “What can I and my team do to help?” You may need to step into an operational role, for example, to cover for a member of the management team who has been infected or quarantined or help with communications. It is not a time for too much worry about remaining independent or standing on principle.

Read Also, “Six Tips for Internal Audit to Remain Resilient in the Face of the Coronavirus Pandemic.”

Internal audit team members should be doing the same. They should be asking the chief audit executive or their direct managers: “What can I do to help?” And they should be prepared to do whatever they are asked, no matter how menial or how unrelated it is to their normal jobs. During the middle of a tough battle, an intelligence offer doesn’t say, “it’s not my job to take part in combat.” They pick up a rifle and fight.

Everything Has Changed
In a remarkably prescient blog post from February 28, internal audit and risk management guru, Norman Marks, was already hitting on this idea that your role as an internal auditor should be re-examined in light of the coronavirus pandemic. And I will admit that his message then has greatly influenced this writing. Here is what he wrote:

“It may not be as easy for internal audit to know its place today, even for the next months, but carrying on as normal is unacceptable. What was identified as the top risk when you did your audit planning and risk assessment—what you are auditing as your read this—is almost certainly not the top risk today. So set your audit plan aside, and ask: ‘How can we help management (and the board, but less directly)?’ ” Good advice, for sure.

Many internal auditors have a great working knowledge of the disaster recovery and business continuity plans. One thing they can do is to dust off those plans and see how they can be applied to the current crisis. It’s unlikely that most plans accounted for a situation where most of American citizens were confined to their homes and encouraged not to interact with other humans in any way. So contingencies must be made to account for these situations. Is the technology in place for virtual meetings, VPNs, cloud storage, etc.? Is the technology working properly? These are questions internal audit can help answer and should already be working on. If anything, internal auditors are excellent planners and those skills can be brought to bear on disaster recovery and business continuity plans.

The disruption is also giving rise to new risks that may need to be evaluated by internal audit. Workers connecting in remotely, for example, create a massive amount of new nodes on the network that can be attacked. As Tom Field, of InfoRisk Today put it: “It’s no exaggeration to say that, in the midst of the COVID-19 pandemic, we now have the largest-ever global remote workforce. And with it comes an expanded attack surface that requires extra attention.” Certainly, hackers and cyber-thieves aren’t taking the day off to let organizations deal with the pandemic. Conversely, they are seizing on the opportunity to cause further havoc. So it’s All Hands on Deck for IT auditors as well, who should be working with IT and InfoSec on creative solutions to ensure remote workstations and other remote technology are secure.

Bigger than Ourselves; Bigger than Our Organizations
Watching the daily briefings from the White House’s Coronavirus Task Force, we have seen the urgency rise each day and the language and tone government officials are using to issue directives and provide information become more pressing. A common analogy that government leaders are using is that we are “at war.” Indeed, we are. In war times its common for companies and other organizations to expand their missions to think about what they can do to contribute to the effort. This crisis is no different.

In China, for example, the automotive company BYD Ltd. retooled production lines to make thousands of surgical masks each day for health care workers and those inflicted with the virus. Here in the United States, Walmart and others have offered their parking lots and other resources as space to set up testing centers. Health care providers and pharmaceutical companies are—hopefully—viewing their new mission through the lens of helping us as a country get through this crisis, rather than thinking about the bottom line. Your organization can likely do its part to aid the effort and all executives should be thinking about how they can.

We should all be refocusing our goals on what we can do to aid the effort. If that means sending our team members home, delaying projects, and rethinking where we can make the best use of our resources, then that is what we need to do. We should resist the urge to come into the office if we don’t absolutely need to. It’s clear that the coronavirus pandemic is an existential crisis for lots of companies and the best thing they can do to survive, at least in the short term, is to help in any way they can to defeat the virus itself.

We will get through this. But its still unclear how long it will take. Internal audit can and should be part of the solution, whether it’s in helping our organizations through the crisis or our global communities.

In times like these an old maxim applies well: “Hope for the best, but plan for the worst!” 

Joseph McCafferty is editor & publisher of Internal Audit 360°