IA after COVID-19: The future strategic positioning IA after COVID-19: The future strategic positioning

This four-part blog discusses the major questions that an Internal Audit function (IA) should address as the global COVID-19 situation continues to challenge the corporate world.

It is separated into four distinctive parts: (1) the future positioning of IA function in an altered environment (i.e. operating model), (2) with what sort of people an IA should complete its assignments (i.e. talent management), (3) what sort of risks could be relevant in the coming two to four years and (4) how its internal processes need to be adjusted (i.e. execution).

Because of the transformed corporate setting – both internally and externally – the Internal Audit (IA) function is facing key strategic questions regarding its positioning and what sort of operating model it should run in the coming 6 to 24 months.

The International Standards for the Professional Practice of Internal Auditing (standards) issued by the Institute of Internal Auditors (IIA) address these positioning matters of an IA function with the attribute standards 1000 to 1300.

They discuss questions as to the strategic placement of an IA function (i.e. purpose, authority, and responsibility), how it should fulfill its independence and objectivity requirements (i.e. impartial and unbiased execution and reporting) and how it can contribute to the company’s success (i.e. proficiency).

Before the COVID-19 situation, corporations that followed good practice recommendations would mostly apply the three-line-of-defense principle¹ and use it as corporate governance model for their organizations. With the new reality driven by the corona virus agenda, the situation of corporates has dramatically changed.

Firms and their respective oversight and management committees started to question some of these corporate governance principles that provided the needed assurance in relatively stable internal and external conditions. These days, these seem to address the challenges the organizations are facing ineffectively. Suddenly, 2nd and 3rd line-of-defense functions are confronted with new internal challenges that affect their role and responsibilities as well as the understanding for their tasks.

Considering the economic downturn, corporations are putting governance programs on hold due to cost-cutting initiatives. Also, strategic priorities are currently in “survival mode”. Assurance activities around control testing and monitoring have been reduced drastically and corporate governance processes or related control frameworks altered due to organizational measures to keep operations going, i.e. allowing the overriding of four-eyes principle or ignoring the segregation of duties because employees are on furlough, working from home or being laid off.

At the same time, organizations are facing new emerging risks which were not on anyone’s agenda before, such as (1) drastically reduced demand and (2) implosion of sales volumes, (3) high uncertainty regarding budgeting, (4) the economic outlook, (5) increased complexity in key processes such as payroll due to lay-offs, furlough and labor programs/subsidies or (6) quickly deployed cost-saving programs – to name but a few².

As a result, IA functions are faced with the question of how to deal with these changing circumstances: how should they continue to provide assurance on governance and key risks while the risk map is being radically altered and continues to shift. We see the following strategies being applied to address this conundrum:

While in the past IA function would propose a solid, mostly cycle-based three to four-year strategic audit plan that included only few alterations to address internal initiatives, projects or issues, planning has now become much more fluid and flexible.

IA functions should radically question the planned audit missions for the coming two to four quarters (i.e. 6 to 12 months) on a three-month basis and conduct a short but effective assessment as to which (=defined risk) and where (i.e. entity, function, process, business unit etc.) emerging risks require attention by IA. This enables added value while cutting down on what has little to no priority.

Unassigned IA time budgets should be not be used to add additional audits but instead assigned to support other, internal projects (see section further down) or to improve own Internal Audit processes and methodologies.

The planning should also be closely aligned with management and the board. While it may expose the IA function to a short-term threat of not being fully independent in its strategic planning, the compensation is that IA can address the right issues that matter most to the organization.

Finally, the IA function may have mandatory audit missions (i.e. testing as part of control framework assurance tasks) that cannot be postponed or moved. These should continue but use alternative testing means such as remote, online or DA driven testing, control self-assessment (CSA) procedures by local management (i.e. guest auditors) or by engaging local third-party professionals to conduct control testing.

Risk maps of IA functions from the past were mostly driven by materiality (i.e. cycle focused entity audits with some annual focus areas and qualitative measures) and then mapped to the corporate risk map. Under the new situation, IA should rethink its own risk map and start to monitor the risk situation continuously.

It should also engage in short but effective discussions with a wider circle of internal stakeholders to identify relevant and potential emerging risks. Key points of the discussion should be around how the organization is coping with the new circumstances. Here are some sample questions for such discussions:
 

• Validation: if and how processes, organizational setups, governance and control frameworks, IT and security systems were amended to ensure business continuity (i.e. wind-down and wind-up operations),
• Confirmation: which are the minimal corporate governance standard still imposed (i.e. delegation of authority guidelines, signature requirements, four-eyes principle, segregation of key duties, etc.) and how does the business ensure that these standards are effective (i.e. documentation, continuing application, testing, etc.),
• Assessment: how were COVID-19 measures (i.e. lock-downs, team splits, home-office, delayed projects, etc.) implemented and continue to be monitored for sustainability; what were the effects on the organization from the point of view of people (i.e. part-time work), processes (i.e. manual vs. automated workflow vs. bots), internal key project portfolio and initiatives, stakeholder management (i.e. KYC), etc.
• Materialization: which risks occurred, which are considered to be most pressing in the short and mid-term and how up-to-date is the current enterprise risk map

From the perspective of the IA function, this requires well-prepared staff that is completely familiar with the situation at the organization, its processes and controls, the company’s business model, its short-term initiatives and actions imposed by management and the applied COVID-19 strategy (i.e. home-office, wind down of operations, etc.).

Finally, if the IA function comes to the conclusions that current assurance needs do not fully fill the time budget available for the upcoming months, the IA function should seek alternative opportunities to support the organization. For example, it could enhance its cooperation with 2nd line functions, such as the Internal Controls department, ERM units or the Compliance function to strengthen the various governance frameworks.

For instance, we see a trend that existing Internal Control System frameworks (ICS) that have not been updated or amended for quite some time (i.e. 5 to 10 years) are now under scrutiny by the governing body of a corporation (i.e. board) as well as external stakeholders (i.e. external auditor confirming the existence and effectiveness of an ICS) for not providing the necessary assurance on key financial risks. It is often asserted that the ICS no longer accurately and completely reflects the risk situation, the process flow and control checks and that it is no longer embedded in the business as an effective governance framework efficiently.
With the in-depth knowledge of the organization, its workflows, culture and IT system, the Internal Audit function is ideal for supporting the 2nd line of defense adapting, amending, modernizing or simply updating the framework. Clearly, the support provided by IA should not include the actual implementation of controls or take on the responsibility of owning risk or executing a related control. These tasks and duties remain with the 1st line of defense, i.e. the business.

However, this is an opportune moment to strengthen and improve the existing ICS framework, thus making it more valuable to the organization (i.e. fewer manual controls and more effective design of reviews, detection or automated checks).

The same holds true with the ERM framework or the Compliance Management System (CMS), where IA can support the adaption of the risk catalogue and its assessment (i.e. probability, impact, response time-frame, ownership, mitigating actions) or help Compliance to better align the CMS with other internal governance frameworks (i.e. ICS, ISO9001) or embed it more effectively in the organization.

In the coming blogs, we will discuss other challenges an IA function has to deal with in today’s world, notably the question around staffing and talent management, the execution process and what key risks to address in the coming 6 to 24 months.

^Footnotes:

^{1 The three-lines-of-defense being:}

^{1st line: risk owner and responsible for managing risk
2nd line: risk control and monitoring duties and support 1st line in effectively addressing risks
3rd line: independent risk assurance such as Internal Audit or External Audit}

^{2 In this four-part series, the questions what key risks could be of relevance in the coming 6 to 24 months will be addressed in the fourth part.}