As organizations deal with the impact of the coronavirus pandemic, internal audit (IA) teams and professionals have an opportunity to enhance their role by helping organizations weather the storm.
In the current environment, priorities are shifting rapidly. While some may consider this a time for IA to take a step back, an audit team can provide value by helping businesses ensure there is an organized approach as they adapt to the new normal.
To provide this value, internal audit teams should consider a simple, three-phased approach.
Phase 1: Talk
Don’t forget to communicate
Start by considering existing strategic relationships. Get in touch with key contacts such as the audit committee chair or members of senior management to determine next steps and priorities. Then, begin strengthening and developing other connections, such as reaching out to the organization’s crisis response team.
When speaking to these internal stakeholders, have a clear message to share and communicate how IA will pivot. Explain how current projects may change—whether they will be completed, deferred, or revised. Clarify what limitations the IA function may face as a result of the crisis, and identify opportunities for shifting the audit plan to best support the organization in the current environment. Remember that management may need help immediately. The IA team will need to shift its approach to be more agile and respond to this need.
Communication does not need to be strictly internal. Where appropriate, communicate with external sources such as peers in the industry, government, and general IA community. Use this opportunity to learn from each other, including determining how others are impacted and how they are supporting their organizations. These learnings will be valuable today, and could inspire innovative thinking for the future.
Phase 2: Look
Reassess the risks
One of an internal audit team’s key functions is to help the organization manage its risks—a role that is even more vital now. For many, COVID-19 has created new risks as well as intensified existing ones.
Having established the communication channels suggested in Phase 1, IA can quickly learn the impact of those risks and assist the organization in identifying, assessing, and responding to emerging risks through the following steps:
- Risk identification. Determine whether any new risks have emerged.
- Risk assessment and evaluation. Assess (or reassess) both existing and emerging risks, and determine the level of impact to the company. Perform a risk prioritization exercise and identify any areas that were not covered in the audit plan and need immediate attention.
- Risk response. Ensure the existing audit plan continues to match the most significant risks. If not, consider amending the plan to include an appropriate response.
Phase 3: Plan
Modify the current audit approach
Based on the risk reassessment, and the potential amendment of the audit plan, IA will need to take additional steps to support the organization effectively, both during and after the crisis. These three steps can help:
- Pivot the current audit plan
If the audit plan does not initially capture the re-assessed risks, revise it in the interim. Consider developing a short-term audit plan, such as one for the remainder of the year, or for the next three to six months. Once the audit plan has been redeveloped, IA should redirect its resources to the most urgent and significant risks. This may mean moving towards more consulting projects, with less emphasis on assurance and lower-risk audits.
For current audits that are near completion (i.e. 70-75% complete), make a reasonable effort to finish them as quickly as possible, in order to redeploy resources to more urgent projects. For projects in the original audit plan that are not yet started, or in early stages, it may be beneficial to delay them so that resources are focused on adding maximum value to the company in times of crisis.
- Shift to agile auditing and faster reporting
As changes to risks are occurring quickly, so should the internal audit response. IA staff often possesses crucial skills in data analytics, controls, accounting, and process efficiency that will help address key risks. As such, IA can act as advisors and ensure the response team performs actions quickly, without compromising effectiveness. As an example, IA may perform stress testing to identify operational risks and potential vulnerabilities that have arisen because of COVID-19
Another example is audit reports. During a crisis, a formal audit report that goes through layers of review and approvals may not be what the organization needs. Shorter reports, dashboards, or summaries could be used instead to provide management with the necessary information much quicker.
- Act immediately
IA cannot sit on the sidelines and only be put into the game when the game is already lost. It needs to get right into the action. Should there be concerns around independence, IA should still consider getting involved where it can to assist the organization, as long as objectivity can be maintained. While there could be a risk of causing independence issues later on, third parties can be brought in to conduct future audits. The immediate value IA can bring could provide greater benefit to the organization, both in the current environment and over the long term.
Source BDO Canada