Internal audit teams need to focus on identifying and managing critical controls.

The effects of the coronavirus (COVID-19) pandemic have been disruptive to organisations, individuals and Australia’s economy. And with management’s attention on the business’ COVID-19 response, internal audit, along with risk practitioners, have a responsibility to monitor key risks, support critical control operations and protect against vulnerabilities.

During times of crisis and uncertainty, where normal processes may be weakened or less transparent, the opportunity for those controls to be exploited is much greater – employees may access systems in different ways, delegations may change to cover absentees and workload changes, and oversight may be weakened with diverted responsibilities – all of these changes bring new risks and opportunities for fraud.

Internal audit responsibilities during COVID-19

Many organisations don’t have an internal audit program of critical control monitoring. Even where such a program exists, the changing risk profile presented by COVID-19 requires them to be re-evaluated.

Internal audit teams need to mobilise quickly to identify critical controls, then perform a targeted and timely evaluation of their performance. As an example, the implementation of wide-spread work-from-home arrangements presents a potential segregation of duties issue, where organisations are used to physical proximity to enforce segregation. Manual workarounds implemented to ‘get things done’ may compromise integrity of the control framework where there is no effective oversight and monitoring.

Internal audit professionals can implement critical control monitoring by confirming new and existing key risk areas, identifying and agreeing on critical controls and implementing continuity procedures to ensure continued operation.

1. Confirm new and existing key risk areas

Internal audit functions should partner with their organisation’s risk function, to identify:

  • new risks that are arising as a result of COVID-19, and crisis and recovery management efforts
  • risks which have been, or could become, heightened in the current environment, such as fraud
  • existing risks which have always been, and continue to remain, key to the organisation and its operations.

This analysis should be supported by outcomes from crisis management and business continuity teams, existing risk information and discussions with key management and executives.

2. Identify and agree critical controls

For key risks identified, consider the extent to which controls currently exist, the impact of COVID-19 on the operation of those controls, and agree on which controls are critical during this disruption, and for ongoing monitoring.

Characteristics of a critical control, to assist in identification include:

  • preventative and automated controls such as system workflows and segregation of duties
  • during disruption, organisations may look to supplement those controls with increased monitoring and detection
  • review and decision points, typically with ‘human’ consideration, such as review of exception reports or approval of payment runs, which determine the next course of action
  • controls which address multiple risks
  • risks with single controls.

It is important that internal audit teams also consider how those controls may have changed as a result of the recent disruption and whether those changes are both sustainable and effective. Consider the following:

  • What critical controls are typically performed by those staff now focused on crisis response or redeployed in the organisation?
  • Have critical controls been reassigned, or alternative controls implemented?
  • How have controls and responsibilities transformed alongside adapted operating models?
  • Have compensating controls been relaxed, increasing importance of critical controls?

Implement continuity procedures to ensure continued operation

Crucial to providing comfort over the continuity of critical control performance is mobilising quickly and performing regular checks, so any gaps in controls can be rectified in a timely manner.

Continuous and close controls monitoring, leveraging repeatable data analytics (where appropriate) and behaviour analysis should be implemented to quickly rectify any gaps.

Steps for Internal Audit practitioners to consider include:

  • obtaining read-only access to IT systems and business sharedrives for the purposes of monitoring activities and reduced touch points with management
  • defining indicators which would suggest controls may not be operating effectively to prompt detailed review of critical controls
  • conducting near real-time auditing over key areas using analytics and/or checking of non-automated controls
  • providing agile feedback and control advice to flag critical control breakdowns at the point these are identified.

Where to start

Below are examples of common process and risk areas for consideration when identifying which critical controls should be closely monitored during COVID-19 environment.

Connect with us


  1. Cash and capital management including cash flow monitoring, forecasting, budgeting etc.
  2. Technology including core system accessibility, cybersecurity, change controls, etc.
  3. Asset management including capacity and availability planning, critical maintenance, management of change, etc.



  1. Workforce management including critical dependencies, workforce reassignment, succession planning, rostering, fatigue management etc.
  2. Segregation of duties with consideration of fraud risks and clarity of delegations, changed system access.
  3. Payroll including master data controls, employee on- and off-boarding, EBA compliance, time and attendance, allowances, leave management.


  1. Supply chain interruptions including supply security and continuity, key vendor identification and management.
  2. Core financial controls including vendor masterfile, accounts payable and receivable, credit cards, journals, reconciliations, bad debt management etc.
  3. Regulatory and licencing requirements including continuous disclosures, licence compliance, privacy, etc.


If you have any questions regarding the content of this article and would like speak to someone from our team please contact us.