As most companies are experiencing a partial or full lock-down of their day-to-day operations, Internal Audit is also being impacted by these new circumstances.
It is therefore crucial for the Chief Audit Executive (CAE) to revisit the strategic audit plan and re-assess the potential impact that the pandemic situation has on business operations, corporate governance as well as the control environment and finally, on the IA function and the team itself.
Management of IA staff
Above all, the health and well-being of the IA staff needs to be secured. By now, all internal auditors on assignment abroad should have successfully returned home and – depending on the country visited – on a self-imposed quarantine leave for 14 days. Furthermore, the IA function should ensure that in case of a partial or full lock-down that all IA staff has adequate means to work from home (i.e. laptop, screens, connection). In cases where a longer period of home office has already been introduced, the CAE should ensure that a continuing exchange between the team is ensured, i.e. by providing periodic newsletters on the current situation, introducing weekly conference calls with the entire team or by having bilateral exchanges with the IA employees on a semi-daily basis.
New emerging risks
In addition the CAE should re-evaluate the emerging risk conditions of the business and compare the new situation with the current strategic audit plan. What was perceived as being important and relevant in terms of risk half a year ago might have very well been replaced by new, emerging risks that developed as part of the pandemic crisis. Emerging risks could for example include:
New organizational regime:
- Non-compliance with imposed travel rules or home-office policies
- Tracking tools to monitor staff-mobility are incomplete or inaccurate
- Actions and new behavioral rules at the offices to avoid infection (i.e. 2m distance at work, cancellation of client events, cancellation of attendance at conventions, etc.) are not fully effective
- Communication on short-term actions does not include the complete organization, is not made in a timely manner or not followed accordingly (e.g. rule of no third-party access to premises, stopping of non-crucial internal projects)
- Unaligned internal and external communication strategies resulting in confusion, retracting of communication memos etc.
- Proper identification and imposed actions on critical business operations (i.e. supply-chain) is not fully, inaccurately or not timely enforced
- Business continuity plans have not been implemented or rolled-out as planned or are running behind schedule
Liquidity and financial management:
- Inaccurate or incomplete assessment or management of short- and mid-term liquidity planning (i.e. potential default due to outstanding AR balances)
- New imposed rules on capex/opex expenditures (i.e. putting projects on hold or deferring) are not adhered to or not accurately and timely monitored
- Non-alterable contracts that are cost-relevant or have legal implications on the operations of the business due to long-term commitments (i.e. payment terms, unfavorable terms and conditions, agreed purchase volumes, rents, etc.)
- IT and network infrastructure is not operated at needed capacity level
- Potentially risky short-cuts are taken to ensure remote IT access (i.e. more users than available licenses, lower security levels to compensate for insufficient bandwidth, etc.)
- Non-enforcement or ineffectual monitoring of policies to avoid or actively reduce overtime
- Requests for governmental support are not submitted in a timely manner, incompletely or not in reflection of the accurate situation (i.e. lack of visibility in terms of overtime)
Reassessment of the strategic audit plan
Based on such examples, the CAE should thoroughly reassess the strategic audit plan in terms of 1) feasibility, 2) practicability and 3) usefulness of the scheduled audit missions.
1) Feasibility: Assessing if, for example, audits that include travel to foreign countries can still be executed as scheduled due to temporary travel bans imposed, inability to use transportation means (i.e. cancelled flights) or closed borders at the destination.
2) Practicability: This relates to the questions of certain audit topics that may require extensive process walkthroughs, on-site interviews and the review of physical documentation and whether these are still effectively and efficiently possible when the organization is in lock-down mode and potential interview partners are not at the office.
3) Usefulness: The CAE, in close alignment with Executive Management and the Audit Committee, should assess whether certain audits should be deferred from a risk perspective as they may no longer pose an imminent threat to corporate governance or cause a failure of controls.
Assessment of fraud situation
In addition to this assessment, the CAE should furthermore evaluate the organization’s current corporate governance and internal control framework and how the pandemic situation might impact its effectiveness. In cases of a partial or full lock-down of office premises, business operations become virtual, requiring more conference and video calls as well as email correspondence.
Whether intentional or unintentional, this may also trigger the circumvention of controls, softening of segregation of duties principles or overriding usual approval procedures. Deviations from the business-as-usual mode and the potential rationalization of resources usually result in a lower level of control, which, together with an increased pressure in terms of time, costs or delivery, could create opportunistic behavior by individuals.
It is important that CAEs with their in-depth knowledge of the organization, processes, controls and culture can accurately assess the potential risk of fraud and accordingly, reassign IA resources to a more preventive monitoring of corporate governance and control effectiveness. Some questions that should be addressed are:
- Are key controls covered and effectively designed in the primary processes? What additional controls should be considered regarding the organization’s exposure to internal and external influences?
- How can employees be controlled or checked upon if they work from home?
- Is there sufficient awareness of potential external manipulation in the financially relevant processes? Good examples are fraudulent invoices, standard encrypted file transfer locations and the verification of email recipients/senders.
- Does a decrease in available employees lead to an increased risk of misappropriation of assets?
- How is the performance of the company? Are there additional risks arising from the current situation? Will there be significant deviations from the original budget and forecasts in light of lowered production, broken supply chains, sickness, etc.?