As companies look to reopen facilities and make accommodations for operating under the “new normal” of doing business during the coronavirus pandemic, internal audit leaders are assessing the risks and helping their organizations prepare to unlock the doors. Some are still just trying to get their bearings.
“I’ve been through both 9/11 and the 2008 financial crisis, and don’t remember either being as severe as this,” says Erica McManaman, chief auditor and senior vice president at Signature Bank in New York.
Executives can be forgiven if they feel like they are treading on unsteady ground. And business advisors aren’t afraid of veering into hyperbole when they discuss the effects of the coronavirus crisis. “Never has business changed so much, so fast,” asserts Norman Marks, a risk management and internal audit expert and author of the blog, Norman Marks on Governance, Risk Management, and Audit.
Indeed, new regulations, guidance, and directives are being issued nearly every day from state houses, regulators like the Securities and Exchange Commission, and agencies such as the Centers for Disease Control and Prevention (CDC). For instance, new guidance on the legislation designed to help those impacted by the shutdowns, like the Coronavirus Aid, Relief, and Economic Security (CARES) Act, is issued almost daily. Financial institutions must continually monitor the information to ensure they remain in compliance, McManaman says. “It’s a difficult situation to manage because it’s so fluid,” she adds.
More Internal Audit and the Coronavirus Crisis Coverage:
How Internal Audit Leaders Are Responding to the Current Crisis
Internal Audit’s New Action Plan During (and After) COVID-19
With Elevated Risk of Fraud, Internal Audit Is on Alert
The pandemic is forcing internal audit executives to rethink their approach to coronavirus risks and risk assessments on the fly. Three-quarters of internal audit leaders, for example, are updating their audit plans in response to the pandemic, according to a recent survey by the Institute of Internal Auditors. More than half have discontinued or reduced the scope of some audit engagements, and 39 percent have added new engagements.
Most chief audit executives realize that if the goal of internal audit is to help the organization succeed, they need to provide insight on the challenges and issues that matter now. “As the business is probably going to be run differently, so shouldn’t we run internal audit differently?” asks Marks.
Catching a Tiger by the Tail?
While the pandemic impacts different sectors of the economy differently, some changes in the risk environment cross multiple industries. One is the risk time frame. Until recently, few organizations planned for large sections of their workforce to be working remotely for several months. Unlike, say, a hurricane or tornado, “this risk is not just a point in time,” says Earl Potjeau, head of IT consulting at Vonya Global, an internal audit consultancy. Audit leaders now are forced to consider “risks with longer tails,” he adds. For example, should the organization jettison business lines that won’t turn a profit while the stay-at-home orders are in effect? Is it worth staffing retail outlets or restaurants if customers are still staying away? Internal audit can help evaluate these decisions.
For many businesses, the pace at which risk is changing is mind-boggling and may still be accelerating. With so much uncertainty, getting a handle on risk can feel like trying to catch a tiger by the tail. Internal audit has to shift accordingly. “Doing a traditional audit that takes weeks, if not longer, is not necessarily going to help business leaders run the business today,” Marks says.
Forum Credit Union was already updating its risk assessment twice yearly, and the audit plan quarterly, says Rick Walke, vice president of internal audit and risk management at the Indianapolis-based financial institution. Walke also adjusts the plan if a risk emerges that wasn’t on the radar when it was approved. At Forum, for instance, credit risk has become a much greater concern, as it is granting some deferrals and working with members who’ve run into financial difficulties.
The massive numbers of employees working from home for extended periods of time also gives rise to several risks. Cybersecurity breaches and fraud has become a more prominent concern at many organizations. More than 40 percent of companies have increased efforts on both of these fronts, the IIA coronavirus survey finds.
Similarly, even as employees work remotely, many still need to share data. Their employers need to ensure they continue to comply with data privacy laws, says Sharon Lindstrom, managing director in the internal audit practice with consulting firm, Protiviti.
As more companies move portions of their operations to the cloud, appropriate cloud governance, including spending on cloud services, has become increasingly critical, says Steven Randall, partner at Vonya Global. Randall, for example, worked with an organization that discovered it had been overpaying its cloud service provider by hundreds of thousands of dollars. “Effective internal controls will minimize the risk of overpayments,” he says.
Liquidity risk is rising at many organizations too, says William Feher, chief financial and risk officer at Trumbull, Connecticut-based Emerging Risk LLC. That’s especially true for some smaller organizations that may not have bank lines of credit in place to which they can turn. “This may fundamentally change the strategy for the business going forward,” he says. A business might decide to factor its accounts receivable, taking a discount in exchange for quicker access to cash. Another option, albeit one that can further stress the supply chain, is to stretch payments. Internal audit can advise on the potential benefits and risks of each, Feher says.
Many supply chains also are facing increased risks. As a global manufacturer, MacLean Fogg works with multiple international suppliers. “A lot are going through hard times,” says Stephen Young, chief compliance officer and vice president of internal audit at the Mundelein, Illinois-based organization. Vendor viability is a huge concern, he adds.
People and processes can be another source of increased risk, given the many operational changes companies are making, says Protiviti’s Lindstrom. As organizations furlough employees, for example, they need to ensure workers’ access to the corporate network is terminated, and that other employees are assuming the responsibilities of those let go.
Changing Approach to Risk Assessments
Given the scope and pace of change in many risks themselves, most audit executives will need to adjust their risk assessment processes to remain relevant and continue to add value. A starting point—as basic as it sounds—is to facilitate conversations about risk with the rest of the executive team. In some ways, the pandemic may help. Say management insists the probability of a specific risk is zero. Internal audit probably will have more room to push back, pointing out that it’s likely few executives, even last year, envisioned much of the economy shuttering to stop the spread of a virus. “Audit can help force the analysis,” Potjeau says, and encourage management to look at a greater range of risks and their impact over a longer period of time.
At Signature Bank, McManaman and her team worked with their operations and risk colleagues to complete a modified risk assessment based on COVID-19. “We asked the management teams, ‘What’s changed in your area? What are the risks you’re seeing now?’” McManaman says. Based on these discussions, as well as other information, such as peer discussions, she and her team modified their risk assessments and started conducting risk monitoring activities. They continue to monitor changes daily and weekly.
McManaman and her team shifted focus to many of the risks that changed because of the pandemic. “A lot of risks we normally look at, are not as top of mind now,” she says. Accordingly, they’ve postponed many audits planned prior to the pandemic to focus on emerging operational risks.
To ensure her group understands where the risks are and moves appropriately as the risk landscape changes, McManaman and her colleagues continually talk with other leaders in the bank as well as regulators. A discussion with the management team about the Paycheck Protection Program (PPP), for example, led to a heightened focus on risks that stem from participation with the program.
While McManaman’s group had already engaged in continuous risk monitoring, it previously accounted for about one-quarter of their time, with the rest devoted to traditional audits. Now, it’s about 100 percent of their time, she says, noting that the ratios likely will readjust over time, as they continue to reassess. McManaman adds that the regulators have supported this approach. “They understand it’s a pivotal time for the institution,” she says.
Data analytics can also help audit executives intelligently reassess risk, especially now that it’s more difficult to observe operations on-site. “Data analytics is taking a more important role, faster than people thought,” Young says. In its efforts to bring inventory levels down, for example, Young’s team is using data analytics to determine the benefits of consolidating some shipments and then handling them more efficiently once they arrive.
Internal Audit’s Time to Shine
While the loss of life, health, and jobs resulting from the pandemic can never be discounted, a few silver linings might emerge. One is the greater focus on potentially catastrophic risk. Since it’s become harder for anyone to deny the likelihood or potential of different risks, more thoughtful discussions about risk should ensue. “You can run, but you can’t hide anymore,” Pontjeau says.
Some of the changes implemented to accommodate the restrictions imposed to thwart the pandemic, like the greater reliance on data analytics, will ultimately boost efficiency, even after the restrictions are eased. Young notes that while his group will continue to make site visits to various locations, they’ll likely be shorter and more focused on the exceptions generated by data.
Internal audit executives who can work with other executives and pivot to provide the insight and advice that can help the organization address new risks and succeed in a rapidly changing environment can benefit as well. The challenges presented by the pandemic offer “a great opportunity for internal audit to shine and be relevant,” says Lindstrom. 
Karen Kroll is a writer on internal audit, finance, and other business topics based in Minneapolis, Minn.