COVID-19: How your internal audit function can stay effective and relevant

read timeRead time: 6 mins
In these uncertain times, many Heads of Internal Audit and Chairs of Audit Committees may be wondering how their internal audit function can remain effective and relevant.
For some organisations, internal audit may be rapidly moving down the organisation’s priority list as senior management and the board deal with the immediate effects and operational demands of the crisis. However, internal audit plays a crucial role as an independent and trusted advisor.  More so now than ever before, they need to adapt and raise their game to ensure they remain relevant at this time of immense challenge and change.

Maintaining an achievable and feasible internal audit plan

Given the operational upheaval internal audit will be facing a number of practical challenges as they seek to complete their ‘in-flight’ audits and start to plan their next set of audits for the coming months.
It is vital that internal audit remains dynamic and flexible. This might involve:
  • Drawing ‘in-flight’ audits to a swift conclusion – based on the work performed to date, particularly where there are significant barriers to completing the audit fieldwork (such as being unable to perform onsite inspections or visits). In these circumstances, a brief ‘flash report’ of audit findings/recommendations to management and the Audit Committee may be a sufficient and proportionate approach to take. Any limitation in the audit work achieved can always be revisited at a later stage when circumstances allow.
  • Reviewing and re-setting the internal audit plan – i.e. an emergency COVID-19 internal audit plan. This might focus on helping the organisation make the right decisions during this time of immense challenge and change, and ensuring that senior management take appropriate consideration of the risk and control environment as critical decisions are made.
  • Putting together a post COVID-19 internal audit plan and beyond (i.e. a BAU internal audit plan).  As part of this, there should be a review of the organisation’s risk/audit universe to assess what risks are heightened as a result of the crisis and focus on these areas. As always, it is critical that Heads of Internal Audit discuss and approve their audit plans with the Audit Committee.
  • Consider moving towards a more flexible resource model – if the internal audit function is under pressure to manage its fixed staff costs. This could be through the secondment/use of staff from elsewhere in the organisation, for example, or through co-sourcing with an external provider, enabling you to draw on resources as and when required.

Focussing on new risks and issues

It is critical that internal audit stays alert and responds to the risks their organisations are facing.
The organisation’s immediate focus will have been on operational resilience and business continuity. For many, the cash flow and liquidity risk implications of the crisis will be crystallising. This means that the availability and sources of funding as well as cost management (including capital expenditure, supply chains and human resources) will become key areas of focus.
In the medium to longer term, the following risk areas may become increasingly important:
  • Strategic risks such as the ongoing viability of the organisation; the overall business strategy/model will come under closer scrutiny and potentially need to adapt and change.
  • Operational risks associated with third parties will be heightened, particularly in those areas where the organisation is dependent on third parties for key functions, services and supplies. There is a risk that these third parties may not survive, or will struggle to remain operational and able to continue to meet contractual arrangements and service levels.
  • People and cultural risks will develop as organisations adapt to new ways of working with associated changes to HR policies and procedures. Implementation of the Government’s Job Retention Scheme, or redundancy measures, will increase legal risk.
To respond effectively, internal audit needs to engage with their risk function, senior management and the decision-making processes within the organisation. Internal audit often has a unique perspective, meaning they can effectively challenge whether senior management are considering the whole range of risks (and opportunities), both short term and longer term, and putting together appropriate plans to address them.

The impact of remote working on internal controls

It is likely that the internal control framework across organisations may not be operating as designed or as effectively as usual.
This is a concern, particularly for key controls. In light of this, internal audit may want to perform a ‘stocktake’ or gap analysis of key controls. Talking to key control owners will help to determine whether controls are continuing to be operated and are operating effectively, or if any mitigating measures are needed. Particular attention should be given to those areas which rely heavily on manual controls and the expertise and skills of their control owners/operators during this time of staff disruption.

Deploying your resources in different ways

It is inevitable that current circumstances mean senior management and auditees will be more focussed on their day job. Traditional internal audits may go on hold for the time being and internal audit may deploy itself in different ways. This might include:
  • Switching the focus of work – for example, to a greater level of stakeholder engagement and attendance at management committees/forums where key strategic and operational decisions are being discussed and taken.
  • Flexing the audit approach – and considering alternative ways to provide assurance, for example by carrying out incident response reviews, follow-ups or limited scope reviews.
  • Focussing on key controls – this will provide valuable assurance to senior management and the Audit Committee that the baseline control environment is being maintained and is still fit for purpose during these times of change.
  • Investing in knowledge and skills development – to ensure that internal audit is well armed for the challenges that lie ahead, and is able to draw on a wider range of techniques, such as data analytics.

Making sure internal audit adds value

Organisations will be making fundamental strategic and operational decisions and at a quick pace. It is vital that internal audit has a ‘voice at the table’ when these decisions are taken, ensuring that the risk and control implications are adequately considered.
Other areas where internal audit may add value include:
  • Reviewing the status of critical or key projects – there is heightened risk that these projects will be put on hold or their objectives changed. Internal audit can play a role in determining the status of these projects, help the organisation to review and assess which projects should be prioritised and provide project assurance to management as they progress.
  • Supporting HR functions – by performing some independent staff listening activity or surveys, for example. Given the likely cultural impact of the crisis, it is important that organisations are proactive in this area.

Completing previously agreed actions

It is important that internal audit and Audit Committees are realistic about what can be expected from previous audits and actions. The focus of everyone’s work is likely to have changed and the completion of previous audit actions is unlikely to be a key priority. Internal audit should consider:
  • Revisiting and re-prioritising the action tracker, with the approval of the Audit Committee.
  • For the priority actions, talk to auditees to confirm the status of actions and whether the deadlines remain feasible.
 Heads of Internal Audit need to ensure that they make the Audit Committee aware of any change of approach, and obtain their approval.

Internal audit’s role after the crisis

There are, and will continue to be, a huge number of lessons to be learned from this crisis, such as:
  • Effectiveness of business continuity plans
  • Adequacy of IT systems
  • Ability of governance/leadership to make appropriate decisions during times of stress
  • Potential cultural issues/learnings demonstrated by staff’s ability to adapt and respond to the crisis
  • Dependencies on suppliers and other third parties within the business model
  • Financial resilience and liquidity
  • Potential customer issues.
Never before has the role of internal audit in reviewing and reporting on adverse events been so pertinent.  Reflection on the lessons learned and analysis of what went right and wrong are likely to be key drivers and inputs into identifying priorities and setting the forward-looking internal audit plan.