Internal Audit (IA) teams have had a major role to play in organizations’ responses to the COVID-19 pandemic. As well as planning for the next stages of recovery, it is important to look back at what has worked well, and to learn lessons for future crises.
The IA teams that were most prepared for this crisis periodically evaluated the business activities their organizations used to prepare for significant future disruptions such as continuity planning, scenario exercises and emerging risks monitoring, with a focus on frequency, assumptions, quality of the debate and action.
Some chief audit executives (CAEs) had made investments that helped them to respond well to the fast-changing demands of the pandemic, including:
- Using technology and data analytics to quickly review the relevant data
- Close cooperation with other assurance functions in the second line of defence to remove unnecessary duplication of activity and to share understanding of key business processes, critical risks and control effectiveness
- Using Agile concepts within audit execution, and auditors adjusting the audit scope during execution
- Revising audit reports to make them more concise, with better analysis of root causes and clearer explanation of the implications to drive prompt, effective and sustainable remediation action by management
Emergency Response by CAEs
Every CAE’s initial focus was on the safety of their auditors, including determining how to get auditors working overseas home safely before governments introduced travel bans. Simultaneously, CAEs had to be involved in their organizations’ crisis management teams and their responses. This was an intense and complex task and is ongoing for many.
CAEs needed to quickly decide the optimal response from audit. The 5 most frequent responses were:
- Deploying auditors into the business to use their skills and knowledge to support severely impacted operational teams
- Using the high level of data analytic skills within the audit team, and its access to corporate data, to provide new business information to management
- Liaising with regulators, external auditors and others to understand their need for information
- Joining crisis response teams to understand the decisions being made about changing ways of working, the associated risks and the expected impact on controls adequacy with respect to the organization’s risk appetite
- Reassessing the catalogue of planned audits for 2020, including:
- Which audits on the plan remained truly essential, and how can the CAE judge which to retain, cancel, defer or adjust?
- Which essential audits can auditors working from home execute remotely (fully or in part)?
- Which of those audits have sufficient, relevant business managers still working and accessible, given their new priorities?
- How to best leverage the second line of defense’s work to remove unnecessary duplication?
- What was the best use of the auditors’ time, when they had been freed up by delaying some audits and restricting the scope of others? Could it be used to bring forward training or planning?
The CAE needed to continually keep up to date on the organization, changes being made and the impact on risks and controls, and the audit plan was revised much more regularly than it had been previously.
Moving to Remote and Audit’s Response
As many organizations have switched to remote working, CAEs are also working apart from other auditors in the same team for specific audits and from the auditees being reviewed.The CAE needs to ensure that all auditors have the necessary technology, skills and training to work from home.
To reduce duplication of effort and boost organizational resiliency, audit leaders are collaborating more with their assurance colleagues. The increased use of data analytics offers the possibility of auditing more broadly during a single audit invocation where, for example, multiple business entities or processes use the same systems and data.
While working from home, auditors needed to determine how to verify data and confirm their provisional conclusions or concerns over identified error rates. Various techniques being used include:
- Triangulating with other digital data sources
- Interviewing relevant management, preferably based at the site in question
- Requesting management confirmation /attestation
- Reviewing documentation
- Viewing the location or activity via in situ CCTV or other video or tech-based options
- Using local risk managers or staff from co-source partners
Many CAEs increased their expectation of audit teams to exercise professional judgment when assessing whether they did enough to reach a conclusion and were therefore able to stop an audit early. The concept of “minimum viable audit” has become common terminology.
CAEs also needed to re-evaluate their existing QA methodology given the various changes being made to their audit planning, scoping, execution, and the evidence available. Adjustments were also needed concerning the timetable for resolving previously reported control issues or the temporary risk acceptance of a known control weakness.
CAEs were expected to cut their department costs to parallel action being taken throughout the organization. CAEs had to be aware of the cutting of costs and headcount elsewhere in the organization as another factor behind the changing processes and ways of working, changes to the associated risks and the continuing effectiveness (or not) of controls which thereby required reconsideration of planned audits.
CAEs often decided that advisory activity was the most valuable contribution at that time and an assurance type of review could only be used in more stable processes or if regulations dictated that approach was essential.
Adjustments to Communication
Auditors have made adjustments to communication with auditees during audits to ensure the best use of everyone’s time, including regular updates on progress, identified control issues and next steps in the audit.
Communication with key management stakeholders has also had to change during the pandemic. Executive leadership wanted to hear from the CAE regularly about changes to the risk environment they faced, adequacy of controls, details of any risk or control concerns or risk waivers (newly introduced), plus results from audits being completed, including any caveats or restrictions on the audit work or conclusions.
Moreover, the CAE and the audit leadership team needed to adjust to managing a remote team of auditors. The key issues are the same as for any team now operating remotely and include managing people, supervising work, monitoring output and quality of work, motivating individuals, providing coaching and training, carving out time for fun, and understanding the wellbeing of individual auditors.
Business Return and Reinvention
However the organization changes because of the pandemic, the CAE needs to be actively involved in the planning for return to the workplace, including:
- Understanding the plans for business processes and ways of working going forward, together with the associated risks and current and planned portfolio of controls
- Assessing the organization’s log of decisions made during the pandemic, any waivers granted concerning risks and controls, agreed delays in control remediation and control issues identified during advisory and assurance work carried out by IA during the pandemic
- Which decisions made about changes and new ways of working were successful, and which to retain or discard. This may involve an organizational “lessons learned” exercise to identify areas of the organization that coped well or did not, and why
- The CAE will be expected to bring to the debate an understanding of the regulatory requirements and constraints on any proposed new ways of working
The COVID-19 pandemic exposed organizations to enormous and unexpected changes. Some were made voluntarily in response to the fast-evolving situation, and others were imposed by government policy decisions. While each organization faced its own unique set of challenges, every CAE had to understand the changing situation, their organization’s new ways of working, the new risk landscape and how best to deploy the audit team in response.