The last few weeks have seen a huge upheaval as organisations respond to the coronavrius (COVID-19) crisis. In these uncertain times, many Heads of Internal Audit and Chairs of Audit Committees may be wondering how their internal audit function can remain effective and relevant.
- Drawing ‘in-flight’ audits to a swift conclusion - based on the work performed to date, particularly where there are significant barriers to completing the audit fieldwork (such as being unable to perform onsite inspections or visits). In these circumstances, a brief ‘flash report’ of audit findings/recommendations to management and the Audit Committee may be a sufficient and proportionate approach to take. Any limitation in the audit work achieved can always be revisited at a later stage when circumstances allow.
- Reviewing and re-setting the internal audit plan for Q2 - i.e. an emergency COVID-19 internal audit plan. This might focus on helping the organisation make the right decisions during this time of immense challenge and change, and ensuring that senior management take appropriate consideration of the risk and control environment as critical decisions are made.
- Putting a provisional plan together for Q3/4 - i.e. a post COVID-19 internal audit plan and beyond (i.e. a BAU internal audit plan). As part of this, there should be a review of the organisation’s risk/audit universe to assess what risks are heightened as a result of the crisis and focus on these areas. As always, it is critical that Heads of Internal Audit discuss and approve their audit plans with the Audit Committee.
- Consider moving towards a more flexible resource model - if the internal audit function is under pressure to manage its fixed staff costs. This could be through the secondment/use of staff from elsewhere in the organisation, for example, or through co-sourcing with an external provider, enabling you to draw on resources as and when required.
- Strategic risks such as the ongoing viability of the organisation; the overall business strategy/model will come under closer scrutiny and potentially need to adapt and change.
- Operational risks associated with third parties will be heightened, particularly in those areas where the organisation is dependent on third parties for key functions, services and supplies. There is a risk that these third parties may not survive, or will struggle to remain operational and able to continue to meet contractual arrangements and service levels.
- People and cultural risks will develop as organisations adapt to new ways of working with associated changes to HR policies and procedures. Implementation of the Government’s Job Retention Scheme, or redundancy measures, will increase legal risk.
- Switching the focus of work – for example, to a greater level of stakeholder engagement and attendance at management committees/forums where key strategic and operational decisions are being discussed and taken.
- Flexing the audit approach – and considering alternative ways to provide assurance, for example by carrying out incident response reviews, follow-ups or limited scope reviews.
- Focussing on key controls – this will provide valuable assurance to senior management and the Audit Committee that the baseline control environment is being maintained and is still fit for purpose during these times of change.
- Investing in knowledge and skills development - to ensure that internal audit is well armed for the challenges that lie ahead, and is able to draw on a wider range of techniques, such as data analytics.
- Reviewing the status of critical or key projects - there is heightened risk that these projects will be put on hold or their objectives changed. Internal audit can play a role in determining the status of these projects, help the organisation to review and assess which projects should be prioritised and provide project assurance to management as they progress.
- Supporting HR functions - by performing some independent staff listening activity or surveys, for example. Given the likely cultural impact of the crisis, it is important that organisations are proactive in this area.
Completing previously agreed actions
It is important that internal audit and Audit Committees are realistic about what can be expected from previous audits and actions. The focus of everyone’s work is likely to have changed and the completion of previous audit actions is unlikely to be a key priority. Internal audit should consider:
- Revisiting and re-prioritising the action tracker, with the approval of the Audit Committee.
- For the priority actions, talk to auditees to confirm the status of actions and whether the deadlines remain feasible.
- Effectiveness of business continuity plans
- Adequacy of IT systems
- Ability of governance/leadership to make appropriate decisions during times of stress
- Potential cultural issues/learnings demonstrated by staff’s ability to adapt and respond to the crisis
- Dependencies on suppliers and other third parties within the business model
- Financial resilience and liquidity
- Potential customer issues.
Stephen Goderski (firstname.lastname@example.org +44 (0)207 516 2224)
Peter Hart (email@example.com +44 (0)207 516 2221)
James Sleight (firstname.lastname@example.org +44 (0)113 426 7404)
Oliver Collinge (email@example.com +44 (0)113 426 7405)