• Luka Zupan, Partner |

This four-part blog discusses the major questions that an Internal Audit function (IA) should address as the global COVID-19 situation continues to challenge the corporate world. It is separated into four distinctive parts: (1) the future positioning of IA function in an altered environment (i.e. operating model), (2) with what sort of people an IA should perform its assignments (i.e. talent management), (3) what sort of risks could be relevant in the coming two to four years and (4) how Internal Audit’s own processes need to be adjusted (i.e. execution).

While we addressed the question of impact in the first blog and examine relevance, feasibility and complexity in the coming two, this entry focuses on the proficiency and competence an IA function needs in order to remain relevant and effective.

Staffing Internal Audit – the limitations of current structures and skill sets

Typically, the staff structure of an Internal Audit function has the following characteristics:

Long-lasting leadership team (i.e. more than 10 years of experience):

  • Experienced group of auditors, including Chief Audit Executive (CAE), that ensures continuity
  • Typically the group makes up 20-30% of the total IA staff. 
  • The team has perfected the operational IA execution, including planning, field work and completion as well as reporting. 
  • In certain cases, the IA leadership team can be slightly out of touch with the business, i.e. tackling emerging and key risks, using new technologies and having a more modern understanding regarding the role of IA.
  • In the past cooperation or coordination with 2nd line of defense functions was limited.
  • No enforcement of extended cross-departmental assurance and 
  • No active pursuit of consulting services. 

Young, somewhat inexperienced staff (i.e. 0-3 years of overall work experience):

  • Group of freshly graduated or young professionals with limited work experience.
  • Usually hired as part of a talent-onboarding and internship program (high motivation and clear agenda to learn, acquire experience and travel the world).
  • The group typically makes up 70-80% of the total IA staff.
  • Because of their lack of experience, they miss a comprehensive understanding of the business strategy, embedded processes and routines (i.e. standard operating model), the corporate culture, designed and implemented governance and control frameworks, IT landscape, etc.
  • This group of IA staff tends to have limited prospects of continuing their IA career (i.e. higher fluctuation rates and internal relocation to positions within the business).

Especially IA departments of multinationals that apply a more cycle-based planning approach, the work of an Internal Auditor generally includes a considerable amount of international travelling (i.e. >50%), recurring, similar types of audit missions and a comparable portfolio of audit findings. The work is mostly delegated to young staff with limited field work participation of the IA leadership team.

Having an Internal Audit function is considered an effective signaling and fraud-prevention instrument. It helps to make sure that the organization adheres to rules and upholds an effective corporate governance and control framework. However, this sort of audit focus delivers negligible added value to the business and provides limited assurance to the board regarding potential emerging key risks – especially in times of COVID-19.

Even if the cycle-based audit approach has been enhanced by adding new, risk-oriented topics and end-to-end process reviews, often the IA function finds it difficult to fully grasp the complexity and derive adequate findings and make recommendations that truly add value for the business. This is not so much a COVID-19/lockdown issue but has preoccupied IA functions for a long time now. The challenge is to obtain the right balance between providing assurance over governance and controls while simultaneously trying to make an impact with hands-on recommendations and best-practice comparisons with peers.

The IA Function is faced with even more pressing questions concerning its relevance and its “raison-d’être” with the new post-COVID-19 limitations inflicted on it from the outside (i.e. travel bans, reduced travel possibilities, economic downturns and recessions) and the inside (i.e. reduced staff availability, furloughs, home office, production slow-downs, decreasing sales, imposed cost-saving programs, unbalanced governance and control frameworks, etc.)

In particular, IA has to grapple with the following aspects and questions:

  • Relevance: how much added value should or must an audit mission provide to qualify for execution in times like these?
  • Impact: which audit mission on the strategic audit plan will impact the organization in times of continuing change and extreme economic uncertainty?
  • Feasibility: how can audit missions be executed effectively and efficiently if on-site visits are no longer possible?
  • Complexity: how should IA respond when applicable audit procedures are either limited (i.e. videoconference) or more sophisticated in the execution than in previous reviews (i.e. data analytics, process mining etc.)?
  • Know-how: is the current staff structure (incl. skill sets and know-how) enough to address these challenges and provide satisfactory results?

All these questions result in structural challenges that an IA function is facing. Accordingly, in light of the assurance mandate the Internal Audit function provides, the Chief Audit Executives (CAE) should reassess how internal audit missions are organized and executed with the IA staff at hand.

Initiate a change of paradigm

As IA remains a very people-centric business, this signifies examining the team’s structure, its knowledge and skill sets as well as the individual members experience and industry understanding. Furthermore options on auditing procedures1 , reliance on technology (i.e. data analytics, process mining) and operating models need to be assessed.

From an audit execution perspective, it seems that in today’s circumstances, the obvious strategy is to move to a more virtual, online-based remote auditing approach. While less travelling means initially less travel expenses, the disadvantage is that particularly process-related walkthroughs and auditing procedures cannot be conducted as intended.

It is also difficult to build up a personal relationship with the auditee in the virtual world only that enables a trusted exchange of information. Simple evidence gathering, such as photocopying records at hand, is no longer feasible and requires more effort to ensure an effective documentation. Finally, on-site visits usually create an audit momentum, allowing for an efficient and effective audit, i.e. stakeholders are available, the documentation prepared or readily at hand and management attention high. A more remote approach depletes the momentum somewhat, making for longer response times and delays in the completion of an audit, thus creating inefficiencies.

Encourage critical thinking and deductive/inductive reasoning

When IA functions decide to go with a remote audit approach the resilience, skills and capabilities of the IA staff will have a wider and more profound impact on the outcome of audit missions than before. While previously conducting walkthroughs on site and actively interacting with auditees supported the opinion making of an auditor, she/he is now fully reliant on processing audio information (from interviews) with fact-finding (i.e. reports, information from a database), and combining these two elements it with her/his own experience on a specific topic.

This requires a strong deductive and cognitive skill set, where analytical thinking is successfully combined with out-of-the-box judgement capabilities. In other words, the auditor should be able to overcome adverse information conditions, compensate for the fact that auditees have an information advantage and figure out negative information. Finally, he/she must demonstrate a higher level of resilience2 to retain the audit momentum.

Moreover, auditors will need to further sharpen skill sets, such as:

  • Critical thinking when processing information (i.e. gathering, validating, analyzing or evaluating, interpreting data, and finally, deriving a conclusion).
  • Deductive reasoning based on logic and the understanding of clearly defined preconditions (i.e. internal SoD rules/standards, documented procedures and guidelines/policies like DoA or expenses, control requirements based on ICS, etc.).
  • Inductive reasoning based on objective interpretation of evidence supplied (i.e. signatures, initials, dates, etc.), as well as own experience (i.e. knowledge of best practice).
  • Resilience in order to be able to cope with multiple, parallel activities while focusing on key matters and maintaining the connection to the auditees.

Rethink staffing structure and size

Therefore, the CAE should assess if the IA team has the required skills to make sure that audit missions will continue to have the same or even higher impact as before – despite the more complex and challenging audit environment.

Also, when rethinking the staffing structure and strategy, the CAE must be willing to face the potentially inconvenient truth: Neither are the needed skills sets currently sufficiently developed nor can they be acquired in the near future.

The CAE has several options to remediate this:

  • Adjust the structure of the staffing pyramid for audit missions and change the ratio of experienced vs. unexperienced auditors from the usual ratio of 30%¦70% to a more senior share, i.e. 50%¦50% or even a higher ratio (this option requires considerable time and a very stable team).
  • Temporarily defer IA talent and career development programs that focus on recruiting young talent and focus on providing more senior employees of the organization the opportunity of a different career path within the company, thus ensuring that these persons gain in-depth business experience and knowledge.
  • Intentionally reduce overall staffing to accommodate for a smaller number of audits (i.e. reduction of overall audit volume).
  • Reassign senior staff to more audit execution tasks (i.e. delivery) and fewer review and supervisory duties.
  • Consider sourcing outside services for subject matter expertise on specific topics (for instance, to include process excellence, best practice, benchmarking and peer review expertise).
  • Use local service providers for on-site support as long as international travelling continues to be unfeasible (i.e. on-site presence to conduct physical testing, collecting evidence, perform walkthroughs, etc.) or consider using local guest auditors.

Make technology and tools mandatory

While assessing alternative staffing strategies, CAEs should also reconsider the future profile of an effective and efficient auditor. This may require a higher seniority level, more in-depth knowledge and experience regarding the organization and a clear commitment to use modern technological tools for conducting audits.

While the use of virtual communication (i.e. video conferencing, sharing presentations, virtual site visits using cameras) have exploded in the past six months, it is only natural to expect auditors to become more technologically adept. However, technology should not be reduced to using MS teams, ZOOM or similar communication tools. Auditors should respond to the challenge of not being on site and conducting the audits remotely by adopting even more sophisticated technological elements3, i.e.:

  • Site reconnaissance: virtual site visits using local staff to film/transmit video and audio information back to the audit manager at HQ
  • SoD violations: retrieve security and SoD violation errors and alerts from Group IT reports or assess governance, risk and compliance (GRC)
  • Historical patterns: use historical data to compute and assess potential patterns in the company’s chronological development
  • SharePoint: use online sharing tools to enable direct access to specific folders and information (therefore eliminating data or document requests)
  • Data analytics (DA): use advance DA options, including process mining, correlation analysis and exception/anomaly seeking

Keep up continuity and boost morale

While the CAE might be faced with difficult decisions in regard to her/his recruiting and staffing strategy, it should also be mentioned that the current situation may have a tremendous impact on the overall morale, employee satisfaction and career perspective of internal auditors.

Most auditors had clearly assigned roles and tasks / duties (i.e. senior leadership level, young agile staff), which often was the reason why they joined the IA function in the first place or remained there for such a long time. Because of the restrictions and changes in the IA function’s operating model, this situation may have evolved and the presumed stability may have shifted to a state of flux and unpredictability.

This will most certainly affect the recruiting and retention strategies of internal audit functions as well as the overall morale of the team. In the context of the outlined challenges, the CAE should assess his/her team as follows:

  • Evaluate the team’s skills and capabilities based on each individual, and define individual skill development plans
  • Map available skill sets to the revised auditing strategy and operating model (i.e. focus on more senior staff with a sound understanding of the organization)
  • Use the mapped skills sets to encourage on-site learning (i.e. learning by doing)
  • Clearly link the skill development and skill-sharing to the goal setting and performance evaluation of IA staff

The future strategy on how audits will be performed (i.e. virtual, remote, driven by data analytics), the potential shift in focus/scope (i.e. less cycle-based more end-to-end; 2nd line advisory work) and staffing (i.e. senior vs. junior staff ratio) should then be clearly communicated to staff and remediating actions initiated.
In the next blog of this four-part series, we will discuss which key risks will affect the organization of IA and how to potentially address them in the coming 6 to 24 months. In the meantime, if you have any remarks or questions, we will look forward to hearing from you.


1 To be discussed in more detail in the coming blog focusing on IA processes
2 Resilience in the sense of persistency, rigor and effort
3 See the IIA publication on remote auditing for Covid-19 and beyond


Durchstöbern, Verwalten und Teilen

Verwalten Sie Ihre eigene Bibliothek und teilen Sie die Inhalte.