This four-part blog discusses the major questions that an Internal Audit function (IA) should address as the global COVID-19 situation continues to challenge the corporate world.
It is separated into four distinctive parts: (1) the future positioning of IA function in an altered environment (i.e. operating model), (2) with what sort of people an IA should complete its assignments (i.e. talent management), (3) what sort of risks could be relevant in the coming two to four years and (4) how its internal processes need to be adjusted (i.e. execution).
Internal Audit position in a new reality – an altered operating model
Because of the transformed corporate setting – both internally and externally – the Internal Audit (IA) function is facing key strategic questions regarding its positioning and what sort of operating model it should run in the coming 6 to 24 months.
The International Standards for the Professional Practice of Internal Auditing (standards) issued by the Institute of Internal Auditors (IIA) address these positioning matters of an IA function with the attribute standards 1000 to 1300.
They discuss questions as to the strategic placement of an IA function (i.e. purpose, authority, and responsibility), how it should fulfill its independence and objectivity requirements (i.e. impartial and unbiased execution and reporting) and how it can contribute to the company’s success (i.e. proficiency).
Before the COVID-19 situation, corporations that followed good practice recommendations would mostly apply the three-line-of-defense principle1 and use it as corporate governance model for their organizations. With the new reality driven by the corona virus agenda, the situation of corporates has dramatically changed.
Firms and their respective oversight and management committees started to question some of these corporate governance principles that provided the needed assurance in relatively stable internal and external conditions. These days, these seem to address the challenges the organizations are facing ineffectively. Suddenly, 2nd and 3rd line-of-defense functions are confronted with new internal challenges that affect their role and responsibilities as well as the understanding for their tasks.
Considering the economic downturn, corporations are putting governance programs on hold due to cost-cutting initiatives. Also, strategic priorities are currently in “survival mode”. Assurance activities around control testing and monitoring have been reduced drastically and corporate governance processes or related control frameworks altered due to organizational measures to keep operations going, i.e. allowing the overriding of four-eyes principle or ignoring the segregation of duties because employees are on furlough, working from home or being laid off.
At the same time, organizations are facing new emerging risks which were not on anyone’s agenda before, such as (1) drastically reduced demand and (2) implosion of sales volumes, (3) high uncertainty regarding budgeting, (4) the economic outlook, (5) increased complexity in key processes such as payroll due to lay-offs, furlough and labor programs/subsidies or (6) quickly deployed cost-saving programs – to name but a few2.
As a result, IA functions are faced with the question of how to deal with these changing circumstances: how should they continue to provide assurance on governance and key risks while the risk map is being radically altered and continues to shift. We see the following strategies being applied to address this conundrum:
Introducing a rolling or fully adaptive internal audit planning
While in the past IA function would propose a solid, mostly cycle-based three to four-year strategic audit plan that included only few alterations to address internal initiatives, projects or issues, planning has now become much more fluid and flexible.
IA functions should radically question the planned audit missions for the coming two to four quarters (i.e. 6 to 12 months) on a three-month basis and conduct a short but effective assessment as to which (=defined risk) and where (i.e. entity, function, process, business unit etc.) emerging risks require attention by IA. This enables added value while cutting down on what has little to no priority.
Adjusting the audit volume
Unassigned IA time budgets should be not be used to add additional audits but instead assigned to support other, internal projects (see section further down) or to improve own Internal Audit processes and methodologies.
The planning should also be closely aligned with management and the board. While it may expose the IA function to a short-term threat of not being fully independent in its strategic planning, the compensation is that IA can address the right issues that matter most to the organization.
Finally, the IA function may have mandatory audit missions (i.e. testing as part of control framework assurance tasks) that cannot be postponed or moved. These should continue but use alternative testing means such as remote, online or DA driven testing, control self-assessment (CSA) procedures by local management (i.e. guest auditors) or by engaging local third-party professionals to conduct control testing.
Modifying the risk lens to emerging risks and key corporate initiatives
Risk maps of IA functions from the past were mostly driven by materiality (i.e. cycle focused entity audits with some annual focus areas and qualitative measures) and then mapped to the corporate risk map. Under the new situation, IA should rethink its own risk map and start to monitor the risk situation continuously.
It should also engage in short but effective discussions with a wider circle of internal stakeholders to identify relevant and potential emerging risks. Key points of the discussion should be around how the organization is coping with the new circumstances. Here are some sample questions for such discussions:
- Validation: if and how processes, organizational setups, governance and control frameworks, IT and security systems were amended to ensure business continuity (i.e. wind-down and wind-up operations),
- Confirmation: which are the minimal corporate governance standard still imposed (i.e. delegation of authority guidelines, signature requirements, four-eyes principle, segregation of key duties, etc.) and how does the business ensure that these standards are effective (i.e. documentation, continuing application, testing, etc.),
- Assessment: how were COVID-19 measures (i.e. lock-downs, team splits, home-office, delayed projects, etc.) implemented and continue to be monitored for sustainability; what were the effects on the organization from the point of view of people (i.e. part-time work), processes (i.e. manual vs. automated workflow vs. bots), internal key project portfolio and initiatives, stakeholder management (i.e. KYC), etc.
- Materialization: which risks occurred, which are considered to be most pressing in the short and mid-term and how up-to-date is the current enterprise risk map
From the perspective of the IA function, this requires well-prepared staff that is completely familiar with the situation at the organization, its processes and controls, the company’s business model, its short-term initiatives and actions imposed by management and the applied COVID-19 strategy (i.e. home-office, wind down of operations, etc.).