GUEST BLOG
As the COVID-19 crisis unfurled, I was rapidly confronted by clients’ requests to rethink the scope and approach of our internal audit activities for the coming months—and beyond.
Many questions had to be answered quickly: Which audits are still relevant? Which audits should we postpone? Which audits are mandatory? How can we possibly perform audits with a completely remote internal audit staff? What are the new risks? And how do we prepare for the aftermath and the post-coronavirus business environment?
Nearly all internal auditors, especially internal audit leaders, are considering the same questions and confronting a new reality. With some companies in survival mode and others addressing drastically different business environments, nearly everything has shifted in just a few short months. Never before has business changed so much, so fast.
Along with the challenges of managing through a crisis, though, there are some opportunities too. Savvy internal auditors can seize the COVID-19 crisis as a chance to bolster crisis management and increase the function’s resilience. They will push to upgrade their team’s tech skills and invest in continuous monitoring activities to solidify their posture in the organization at a time when maintaining effective governance, risk management, and controls is of vital importance.
Nearly two months into the pandemic with no guarantee of a return to normal, I recommend internal audit managers consider three actions to bolster crisis management and increase the resilience of the audit function.
1: Conduct a Reassessment of the Organization’s Risks
First, it’s clear that the pandemic has increased the level of attention from top management on enterprise risk management. The crisis reaffirms the benefits of a rigorous risk management process that covers the identification, assessment, and responses to risks that could hamper the realization of the company’s objectives. At companies where the process has typically been a periodic check-the-box exercise, there is an opportunity to advance enterprise risk management mechanisms.
More Internal Audit 360° COVID-19 response coverage:
Auditing at Home: Addressing the Challenges of a Remote Internal Audit Workforce
Internal Audit Coronavirus Poll
This crisis should be a catalyst for internal auditors to re-evaluate and challenge the effectiveness of their organization’s risk management processes. I would encourage you to consider the following questions:
- Does the risk management process provide sufficient agility to escalate and act on rapid changes in the risk landscape?
- As the COVID-19 crisis unfolded in China, did the company reassess the likelihood and potential impact of certain risks relevant to operations or supply chains, such as factory shutdowns, restrictions on travel, and closure of shops?
- Is there a clear process to address high-impact and low-probability risks ensuring that an emerging risk will trigger action by a predetermined team of managers?
- Does the risk ownership methodology allow management to elaborate contingencies before a situation deteriorates much further?
- Is the process transparent enough to show the interdependence of risks?
In addition, internal auditors should push management and encourage them to reassess the likelihood of different kinds of risks and their impact. Today’s economic shake-up practically forces management to re-evaluate the enterprise risk appetite. For example, new actions could be taken to respond to the consequences of a prolonged economic downturn. Investment in stronger business continuity testing procedures might be required. The acquisition of new insurance policies might be justified. More initiatives are likely needed to keep employees safe. And information systems must be secured.
Not only will the output of such a risk review help internal auditors determine the most relevant focus areas, it will ensure the function stays alert for emerging threats and senior management’s evolving tolerance for risk.
2: Review Internal Control Adjustments
The next big focus area is internal control. Internal auditors should certainly review the impact on controls from the changes that were adopted to comply with office, factory and retail closings; social distancing; and other government requirements. In the short term, management focus has been on employee and customer safety, business continuity, and financial resilience. The shift to telecommuting and the abrupt slowdown in economic activity have modified the risk level and configuration of business operations. As the situation will remain uncertain for the foreseeable future, internal auditors should be vigilant about the possibility that some controls are no longer functioning as designed.
It is of the utmost importance to evaluate how management is adjusting financial and operational procedures to cope with remote work arrangements and the closure of facilities.
This evaluation should include:
- The adjustment of IT security controls to thwart social engineering scams and address the lack of employee experience with telecommuting and use of internet communication tools
- The proper separation of duties when a portion of the employees are ill, away from the facility, or on temporary unemployment
- The adjustment of credit risk and payment terms for changes in the risk profile of customers
- The accurate and timely registration of inventory with fewer warehouse employees
- The review, approval, and documentation of master data and accounting entries
The review should extend beyond your own organization to assess the continuity of services and controls from third-party vendors including large business process outsourcing (BPO) providers operating in distant countries, such as India or China.
The ability to maintain sufficient and effective internal controls will vary according to the setup of the processes and the degree of technology adoption. A finance department with a fully digitized process for journals and account reconciliations will, for example, face less risk than a department relying on paper-based sign-off and physical archiving of evidence.
It’s true, too, that the deteriorating economic situation provides a fertile ground for occupational and financial accounting fraud. Employees on partial unemployment with reduced salaries (motivation) might exploit gaps in management oversight (opportunity) to compensate for what they might consider unfair treatment (rationalization). Similarly, executives with performance-tied bonuses or strong investor pressure might voluntarily delay the recognition of bad news such as inventory, receivables, or asset impairments.
For publicly traded companies, regulators and external auditors will most likely take a close look at internal control adjustments, requiring disclosures of significant changes in future filings.
3: Upgrade Skills and Audit Technology
Through my client activities, I noticed that internal audit departments that made investments in continuous monitoring capabilities have been less impacted by travel restrictions and stay-at-home orders. I would urge internal auditors to upgrade their knowledge and skills in automation and continuous monitoring. Getting acquainted with digital tools and techniques will increase your resilience and ability to perform work remotely.
At a structural level, most of our “fieldwork” activities are focused on strategic and exception-based audits, while most of the routine assurance testing can be executed remotely, through technology and data analytics.
A technology like process mining has gained such a level of maturity in the last few months that you can reasonably monitor the conformity to core enterprise processes across various information systems remotely. Outliers and control deviations are flagged, and the audit team can focus their attention on deviations. The technology itself provides the possibility of communicating and interacting on issues directly with audit partners.
In the current context of crisis and change in work habits, process mining also provides a useful data-driven perspective on the operational impact of COVID-19. With people not physically present in the office, do processes run slower? Do you incur more delays in operations? Are employees who are still at work adhering to new health and safety policies? Never before has internal audit had such an important role to play in “change management.”
For those with budget flexibility, the cancellation of projects initially scheduled for the current year might provide the opportunity to acquire the technology, train internal audit team members, and take a decisive step towards continuous monitoring techniques.
If travel restrictions and social distancing measures have upended your audit activities completely, such a move could help restore a decent level of assurance in the mid term, and, more importantly, it will make the internal audit function more resilient in the future. 
Jean-Marie Bequevort is Expert Practice Leader Internal Audit at TriFinance, a consulting company with offices in Belgium, Luxembourg, Netherlands, and Germany.
Dear Jean-Marie, thanks for the interesting and useful tips. We will try to be in.