There are current questions about how internal audit should position itself in light of the impact of Covid-19:
- How relevant is the current audit plan and which parts of it need to be reworded?
- How is Internal Audit keeping up with the pace of change occurring in the organisation, including changes in the control environment?
- How does the department adapt to be able to support the organisation in managing new business risks?
- How can an internal audit team better use technology and data to gain comprehensive insights?
It seems that we are at a crucial point, however, where there is a viable answer to these questions: Internal audit needs to take a more data-driven approach that monitors and enables rapid action to help the organisation deal with the risks created by Covid-19. This can be achieved through Continuous Risk Assessment (CRA) by using technology to monitor risks arising due to Covid-19 through the lens of Internal Audit. We believe this is a transformative moment for internal audit departments. KPMG's Internal Audit teams have extensive experience in terms of structuring and executing a useful dashboard, which strengthens the role of Internal Audit within the overall organisational response.
What is CRA (continuous risk assessment)?
CRA is a data-driven approach that typically uses dashboarding to help monitor KPIs and KRIs across locations and auditable business units and to identify anomalies. The goal of CRA is to identify dependencies between KPIs and KRIs that process owners may not consider as part of their monthly business reviews. For example, we often find that HR turnover metrics can have a significant but hidden impact on operations. Internal Audit can monitor this interdependency and encourage collaboration where appropriate. Internal audit would follow up on these cases accordingly and define how to ensure insights and reliability, thus responding to potential risks. The current opportunities to apply a simplified CRA approach to address the risks created by COVID-19 do not primarily depend on whether you have conducted a data-based risk assessment similar to CRA in the past.
COVID-19 changed the dynamic process of corporate monitoring. Values and tolerances that applied until today may now be of little importance. This is because the entire conception was based on a "business-as-usual" environment. Some of the audit plans designed over a month ago are hardly applicable today. The process owners are working hard to keep the core activities at an appropriate level.
The current circumstances provide an opportunity for a necessary shift in the practical use of monitoring capacity. We recommend that Internal Audit allocate its resources to establishing a simple and scalable CRA dashboard to monitor critical business elements and inform process owners of risk areas that require special attention. It is about identifying changes in the business and ensuring that they are managed appropriately. Such an assessment summarises what is working and what is not in our new reality.
The place of internal audit
Today, the board and executives, including the CEO and CFO, are responding in real time to a number of Covid 19 risks in areas that until a month ago were considered business as usual and therefore stable. These include:
- Employee wellbeing and workforce management.
- Cash flow and liquidity
- Maintaining the control environment and mitigating the risk of fraud
- Navigating and predicting the impact of Covid-19 on the business, across sales, operations and finance
- Cost containment
- Supply chains
- Remote cyber security
- Shifting customer focus
Internal Audit has the opportunity to support the business in the above areas by using a simple dashboard that uses relevant external as well as internal data to inform decision makers about the impact of Covid-19. Below are examples of some practical steps that Internal Audit can take to ensure employee wellbeing and workforce management:
- Integrate the latest Covid-19 case data and employee location data. Most data sources you find on the internet are updated daily.
- Name the number of active cases and their growth rate according to staff locations.
- Consider the functional role of your staff according to their location. Do they work from home? Do any of them still need to report to a physical location? Can you monitor changes in these locations should there be government mandated restrictions?
- Include benchmarks for human resource management and health and safety. Consider ways to keep track of staff attendance, e.g. email traffic, remote sign-in, badge deductions, etc. The purpose of these metrics is to identify large shifts in activity, both in case sites are more impacted and to monitor when these sites can be brought back online.
Finally, it is important to remember that your leaders and colleagues want to be part of an organisation that makes the most of a challenging situation like this. The approach described above focuses on reporting according to individual sites. It could make or break the success of the transition from office to telework for many within the organisation.
If you and your internal audit department need further guidance on how to approach the above concepts decisively, please contact your KPMG contact.
Some or all of the services described here may not be permitted for KPMG audit clients and their subsidiaries or affiliates.
Further Information (in German only)
Empfehlungen für kurzfristige Governance-Maßnahmen, um Unternehmen sicher durch die aktuelle Krise zu führen.
Empfehlungen für kurzfristige Governance-Maßnahmen in der aktuellen Krise
Luisa v. Esterházy
Partner, Risk & Compliance Services
KPMG AG Wirtschaftsprüfungsgesellschaft