The pandemic has caused inevitable changes to traditional ways of working, forcing internal audit to abruptly adapt to remote auditing and it seems as if it is here to stay. Find out how the remote shift is best governed and what measures can be taken to adapt internal audit processes.
The pandemic has greatly impacted the internal audit operations and how internal audit functions were able to address the key risks of their organizations as part of their assurance roles. With travel restrictions only slowly being lifted and the continuing use of home-office regimes, internal auditors are forced to look for new means of auditing. One such method that has gained large momentum in 2020 and continues to be very popular with IA functions is "remote auditing", indicating an off-site conducted audit that did not include a physical presence on site. This blog explores how to cope with different challenges when the remote auditing method is used by an Internal Audit function.
Key considerations for remote working
1. Plan: Reassessing priorities within your internal audit planning
The pandemic caused corporations to adjust their business process and organizational set-up in order to ensure their operational continuance. As a result, the risk landscapes also changed and thus shifted the priorities and focus areas of Internal Audit. A proactive approach for Internal Audit is to assess the potential changes inflicted by the pandemic is using a Rapid Risk Assessment, asking the following cross-functional questions:
- Have processes shifted to accommodate recent business changes?
- Did this impact the control environment?
- Have traditional responsibilities shifted due to changes in team availability?
- Has the organization experienced issues linked to business changes?
- What new tools were adopted to perform usually, standardized activities and controls?
- What are key risks related to the changes imposed by the pandemic and subsequent changes in business?
- Are potential efficiency or cost-measures being implemented?
- If so, what is their sustainability / long-term effect?
- Can potential changes in the organization, processes or controls have unforeseen implications?
- What are the main strategic risks and what role can IA play in this?
- Which areas of the business are of most concern?
- What are the main strategic risks observed in the past 18 months and what role could IA play in addressing potential assurance questions?
2. Preparation: Investing sufficient time in preparing for the audit and clarifying new processes
Preparation of an audit is an essential keystone to ensure a smooth and efficient audit. Along with considering traditional practicalities when preparing an audit, a remote auditor must take additional points into consideration, such as:
- Assessing "auditability": Assess if the considered audit topic and related risk universe to be covered is suitable to be audited in a remote way and that the related assurance will provide the expected results; consider if questions around completeness, accuracy, timeliness of reviewed information is secured and related audit procedures are efficient "within reason"
- Availability of auditees: Consider times zone (i.e. Asia vs. US) readily available local technical means (i.e. respective hardware and internet bandwidth, microphone, video-camera, secure file-exchange platform etc.)
- Usage of tools: To ensure an effective communication with auditees consider using different communication instruments, such as video teleconferencing and document sharing solutions. For efficiency and compliance requirements, these need to be user-friendly and even more important fully secure. Ensure that the auditee is comfortable to discuss even most critical topics over a virtual communication channel
- Planning the audit: Technical issues (e.g. connectivity, sound quality, etc.) as well as long-phases of potential "unavailability" of auditees can render the audit inefficient; it is thus recommended to keep the duration of remote audits concise, i.e. define official audit field work time period, set and communicate an official "close submittance window" (no documents considered after that date), mandatory availability of auditees during agreed conference calls
- Clarification of the new process: Address the differences of remote vs. traditional auditing techniques with auditees (i.e. onboarding); Auditees need to be made aware of which medium is used for communication and how information is shared, securely, while considering confidentiality and authorization requirements.
Having now discussed the reassessment of priorities and the preparation of the remote Audit, I would like to dive deeper into audit execution and revisit the reporting protocols in the next section of this blog. Part two will be released soon.