Coronavirus and the role of internal audit leaders Coronavirus and the role of internal audit leaders

As most companies are experiencing a partial or full lock-down of their day-to-day operations, Internal Audit is also being impacted by these new circumstances.

It is therefore crucial for the Chief Audit Executive (CAE) to revisit the strategic audit plan and re-assess the potential impact that the pandemic situation has on business operations, corporate governance as well as the control environment and finally, on the IA function and the team itself. 

Above all, the health and well-being of the IA staff needs to be secured. By now, all internal auditors on assignment abroad should have successfully returned home and – depending on the country visited – on a self-imposed quarantine leave for 14 days. Furthermore, the IA function should ensure that in case of a partial or full lock-down that all IA staff has adequate means to work from home (i.e. laptop, screens, connection). In cases where a longer period of home office has already been introduced, the CAE should ensure that a continuing exchange between the team is ensured, i.e. by providing periodic newsletters on the current situation, introducing weekly conference calls with the entire team or by having bilateral exchanges with the IA employees on a semi-daily basis.

In addition the CAE should re-evaluate the emerging risk conditions of the business and compare the new situation with the current strategic audit plan. What was perceived as being important and relevant in terms of risk half a year ago might have very well been replaced by new, emerging risks that developed as part of the pandemic crisis. Emerging risks could for example include:

New organizational regime:

• Non-compliance with imposed travel rules or home-office policies
• Tracking tools to monitor staff-mobility are incomplete or inaccurate
• Actions and new behavioral rules at the offices to avoid infection (i.e. 2m distance at work, cancellation of client events, cancellation of attendance at conventions, etc.) are not fully effective
• Communication on short-term actions does not include the complete organization, is not made in a timely manner or not followed accordingly (e.g. rule of no third-party access to premises, stopping of non-crucial internal projects)
• Unaligned internal and external communication strategies resulting in confusion, retracting of communication memos etc.

Business operations:

• Proper identification and imposed actions on critical business operations (i.e. supply-chain) is not fully, inaccurately or not timely enforced
• Business continuity plans have not been implemented or rolled-out as planned or are running behind schedule

Liquidity and financial management:

• Inaccurate or incomplete assessment or management of short- and mid-term liquidity planning (i.e. potential default due to outstanding AR balances)
• New imposed rules on capex/opex expenditures (i.e. putting projects on hold or deferring) are not adhered to or not accurately and timely monitored
  
• Non-alterable contracts that are cost-relevant or have legal implications on the operations of the business due to long-term commitments (i.e. payment terms, unfavorable terms and conditions, agreed purchase volumes, rents, etc.)

IT infrastructure:

• IT and network infrastructure is not operated at needed capacity level
• Potentially risky short-cuts are taken to ensure remote IT access (i.e. more users than available licenses, lower security levels to compensate for insufficient bandwidth, etc.)

Governmental support:

• Non-enforcement or ineffectual monitoring of policies to avoid or actively reduce overtime
• Requests for governmental support are not submitted in a timely manner, incompletely or not in reflection of the accurate situation (i.e. lack of visibility in terms of overtime)

Based on such examples, the CAE should thoroughly reassess the strategic audit plan in terms of 1) feasibility, 2) practicability and 3) usefulness of the scheduled audit missions.

1) Feasibility: Assessing if, for example, audits that include travel to foreign countries can still be executed as scheduled due to temporary travel bans imposed, inability to use transportation means (i.e. cancelled flights) or closed borders at the destination.

2) Practicability: This relates to the questions of certain audit topics that may require extensive process walkthroughs, on-site interviews and the review of physical documentation and whether these are still effectively and efficiently possible when the organization is in lock-down mode and potential interview partners are not at the office.

3) Usefulness: The CAE, in close alignment with Executive Management and the Audit Committee, should assess whether certain audits should be deferred from a risk perspective as they may no longer pose an imminent threat to corporate governance or cause a failure of controls.

In addition to this assessment, the CAE should furthermore evaluate the organization’s current corporate governance and internal control framework and how the pandemic situation might impact its effectiveness. In cases of a partial or full lock-down of office premises, business operations become virtual, requiring more conference and video calls as well as email correspondence.

Whether intentional or unintentional, this may also trigger the circumvention of controls, softening of segregation of duties principles or overriding usual approval procedures. Deviations from the business-as-usual mode and the potential rationalization of resources usually result in a lower level of control, which, together with an increased pressure in terms of time, costs or delivery, could create opportunistic behavior by individuals.
It is important that CAEs with their in-depth knowledge of the organization, processes, controls and culture can accurately assess the potential risk of fraud and accordingly, reassign IA resources to a more preventive monitoring of corporate governance and control effectiveness. Some questions that should be addressed are:

• Are key controls covered and effectively designed in the primary processes? What additional controls should be considered regarding the organization’s exposure to internal and external influences?
• How can employees be controlled or checked upon if they work from home?
• Is there sufficient awareness of potential external manipulation in the financially relevant processes? Good examples are fraudulent invoices, standard encrypted file transfer locations and the verification of email recipients/senders.
• Does a decrease in available employees lead to an increased risk of misappropriation of assets?
• How is the performance of the company? Are there additional risks arising from the current situation? Will there be significant deviations from the original budget and forecasts in light of lowered production, broken supply chains, sickness, etc.?

Once the CAE has a clear understanding of the priorities for the coming weeks and months, the plan should be aligned with Executive Management and ideally formally reapproved by the Audit Committee. Following the green light, the CEA should assess how to put the plan into action, that is, evaluate for each audit the following options in regards to the field work needed:

• Remote work: Can the field work be effectively performed using modern communication means such as video-conferencing, sharing computer screens, accessing secure cloud-based share-drives to facilitate the exchange of documents (i.e. upload of control execution documentation), or by using iPADs or similar devices to review PDF documents and include personal, handwritten remarks which are then shared with the auditee and discussed further
  
• Local support: Is it possible to use local internal or external resources that can access the premises and conduct process walkthroughs, document reviews and control testing on site while being managed remotely by the audit manager through daily calls and daily reviews of the audit-work-program
  
• IT data access: Can IT data access be used to address certain risks to be covered by the audit field work (i.e. checking short-term changes of access rights and ineffective segregation-of-duties or evaluating statistics that show the overriding of controls and checks within the automated work-flow)
  
• Data analytics: If deemed appropriate and effective, the IA function should now seek new and alternative ways to conduct audit procedures by using mass-data to identify patterns (i.e. transaction anomalies, manual interventions) and assess potential failures of controls 
  
• Collaboration: Assessing if other assurance functions (i.e. compliance, quality management, security officers, risk management, etc.) can support special audits by conducting walkthroughs on site or provide own assessments to a specific situation that is relevant to the field work.
  

In order to ensure the right response of the IA function and particularly the Chief Audit Executive (CAE), this emerging pandemic situation needs to be thoroughly examined and assessed how it will impact the strategic internal audit plan. CAEs should first ensure the safety of their staff and at the same time re-evaluate their audit plans in terms of feasibility, practicability and usefulness. Furthermore, new emerging risks that are linked to these extraordinary circumstances need to be taken into consideration. By doing this, CAEs together with their teams can play a vital role in ensuring that the organization will master this situation in a more effective and efficient way.

Download the content as a Factsheet.