Internal Audit During and Beyond COVID-19
The impact of COVID-19 on operations and the overall economy could potentially last for months or even years. Looking towards the situation and how extended disruptions have affected the supply chains, productivity, business growth, etc., several key considerations have been set up at the organizational level to anticipate emerging risks. Intending to survive in this epidemic situation, organizations are planning on how to manage post-epidemic scenarios, such as quickly ramping up production to respond to the pent-up demand.
As organisations adapt to deal with the initial impact of COVID-19, Internal Audit functions have an essential role to play amidst crisis to continuously provide assurance and help management in critically analyzing and anticipating emerging risks. The primary responsibility for managing the risks associated with the crisis is of the management. However, Internal Auditor (IA), through involvement in different activities like discussions with management and the board, can assess whether all the current and future risks have been identified. The internal auditor needs to analyze to what extent management is ready with business continuity plans to meet COVID-19 and its associated risks. The key actions that an internal auditor should plan in support of organizations are enlisted below:
- Assessment: Internal Auditor is a master at the objectivity of addressing risks; through conversations with management and involvement in a variety of activities, the internal auditor can assess as to whether management has considered potential disruptions off-site also. This is an important aspect, especially if something unthinkable has happened during the outbreak.
- Planning: Planning engagements with the Audit Committee and other stakeholders/ regulators in understanding their perspective and key priorities amid the pandemic, anticipating the level of critical work required to mitigate the risks caused due to outbreak and whether any new risks are emerging out of planned work.
- Reporting: The internal auditor should remain alert of the following:
- It is high time that fraud risks may cause another issue, as opportunities are enabled for both external and internal parties. Financial reporting frauds are expected to be heightened, especially in situations of employee terminations or employees suffering personal financial stress in these unprecedented times. Possible instances of the same should be reported.
- With a high level of uncertainty all around, there are many instances of control override, both by employees and management personnel. IA should keep on reviewing the internal controls in order to keep the business operating efficiently.
- Security: The internal auditor should consider the risk related to employees working from remote locations for long periods. Individuals may inadvertently compromise business security. The chance of cyber risk has reached its highest level as more employees are working virtually. The IA, in discussion with the audit committee and management, should plan the additional steps to be taken to address the associated risk and review the user access controls.
- Resources: The internal auditor should consider whether sufficient resources, including third parties, are in place to maintain critical activities at adequate levels. Reviewing the management’s plan to deal with changes in demand and balancing it with both stock and resources accordingly can prove to be profitable in these difficult times.
- Review and Monitor: The internal auditor should continue to review and monitor the plans build up to deal with the situations happening not only inside the organization but also outside the organization. Present circumstances all around reinforce the need for well-developed and tested planning. IA should review these action plans formulated and should advise the management wherever deficiencies exist. This time is not just to report the problem but to ensure that plans are adequate.
- Collaboration: The internal auditor should plan and perform the audit work in such a manner that a greater reliance can be put on the external auditor in priority areas and, in communication with management, understand whether any changes to the audit plan and risk assessment is required. Independent assurance provided by IA will mitigate the chances of complexities on the part of external auditing requirements.
Well, covering up the whole situation, internal audit functions should take the opportunity to adopt the practices that have proved to work effectively during the crisis as ‘all-time practices’. Set of examples is working from remote locations, meetings through video-conferencing, more frequent communications with stakeholders and regulators, greater ease of technology etc. This practice will lead to long-term benefits for the entity in terms of increased efficiency, lower expenses on administration, better work-life balance and a more flexible risk assessment and planning process.