Jump on to read different sections of the article by clicking links below:
- How are the expectations of the board on risk changing during this period?
- How does the role of assurance functions evolve in response to large scale crisis situations?
- How can internal audit continue to provide risk assurance while also supporting the immediate needs of the organisation?
- Which techniques can internal audit apply for more tech and data driven approaches and what is the importance of an agile mindset?
The consequences of COVID–19 have changed the risk landscape. Internal audit functions are finding more than ever that they need to be closely aligned with, and responsive to, this changing risk landscape and rapidly evolving business demands and priorities. More than ever, they need to operate in more flexible and agile ways to remain relevant and add value to their organisation.
Key takeaways by timeframe from the forum members
Now – React to the rapidly changing risk landscape while continuing to deliver your core role
- revisit audit plans by adding resiliency lenses to the reviews performed in order to respond and anticipate the organisation’s changing risk profile
- focus on health check and diagnostic reviews as well as deep dives audits
- respond to the needs of Boards and Audit Committees who are looking for agility, assurance, ‘solution mindsets’ and reassurance
- create a new cadence of more frequent dialogue with Audit Committees and key stakeholders
Next/ Soon – ‘Fix’ what’s needed and control and optimise a more agile assurance plan
- revisit time frames for updating audit plans, executing audits and reporting
- provide assurance based on real time data and provide insights – organisations already set up to use data analytics will fare better than those without
- drive dynamic risk assessment into audit plan development and execution
- focus on team culture in a remote environment to achieve a balance of your “what, how and why” - increasing recognition of pastoral factors will be key in building successful and productive remote teams.
Eventually – Transition successfully to a ‘new normal’
- continued need to stay aligned with Audit Committee and other stakeholder expectations
- due to innovations realised from the current scenario, activities will need to be considered through the lenses of “cease, continue and commence”
- acceleration of real time insights and analytics alongside implementing, or optimising investments, in tools and technology
- review with your teams the challenges of transitioning to the office or continuing home working – one example quoted was access to Display Screen Equipment (DSE)
Our Chief Audit Executive (CAE) Forum meets regularly online to exchange ideas about how to manage the audit process through and beyond the current pandemic. The sessions on 7th and 20th May focused on answering four key cross-industry questions through the prism of actions that need to be taken now, soon/next and eventually.
How are the expectations of the Board and Committees of the Board on risk management changing during this period?
One board member from the utilities sector reported the crisis has brought risk thinking to the forefront. A range of risks have emerged that were not anticipated, so boards are looking for an agile mindset and solutions focus from their risk and audit teams, not just normal reporting.
Boards and Audit Committees are being very supportive but require reassurance that the risks and impact of COVID-19 are being addressed, and whilst appreciating that risks cannot be eliminated entirely, they need to be managed effectively and pragmatically. This is creating an opportunity for risk and audit professionals to act as trusted right hands to CEOs and CFOs.
It also extends into helping the business not just address the most immediate risks today, but also how to plan a sustainable business for the future. Constant communication with operational managers as well as a focus on timely data is vital to build insights and gain valuable perspectives that build confidence across the organisation.
One head of audit and risk in the pharmaceutical sector agreed that expectations from the board are being driven by having to deal with rapid and unprecedented change. While existing governance models must stay in place, new ways of working have had to be adopted quickly, including working remotely, collaborating with other companies and gathering real-time data for audit purposes.
Looking to the future, boards are looking for solutions in light of the emerging economic and geo-political environment, which has focused on closing borders and looking after local interests. There is inherent uncertainty over the impacts this will have on international trade and business in the future.
The head of internal audit at a financial services firm added that during the first weeks of the lockdown, business as usual audit took a back seat. Members of the team were sent to help different teams in the business but are now moving back to audit as pressure points have been relieved.
The next phase will involve looking at the 2020 plan for audit and prioritising/reprioritising activities. The audit team is working closely with the finance director and meeting every two weeks instead of producing quarterly decks and reports – this more dynamic sharing of data is likely to remain ongoing, with more formal and structured monitoring in place than the business has been used to.
Another approach was outlined by the head of internal audit and risk at an online retailer. He said that his team was asked to remain focused on their core role of providing independent assurance, leaving the management and business continuity teams to manage the reorganisation of the business.
How does the role of assurance functions evolve in response to large scale crisis situations?
An airline executive updated that COVID-19 has presented an existential threat to his business. The past few weeks have seen the transfer of ‘all hands to the pump’ with third line assurance team members transferring to the business and applying their skills to challenges such as business continuity, fraud mitigation, supply chain risk management and recovery.
His team is providing daily briefings to the executive board rather than periodic reviews. They are now considering issues such as how the business could learn from the current situations in terms of scaling up and down quickly in response to similar crises - and looking at projects that could be cut to preserve cash reserves. The biggest concern for the industry is that there are so many imponderables, such as consumer confidence and which countries will come back on line first.
The senior VP of internal audit at a telecoms firm said the pattern followed by her team is now anticipate, assure and advise. It’s vital to look at the impacts of risk both now and later, and how they will change. By providing more detailed and higher quality data to second line professionals, the team can focus on major emerging risks such as the impact on liquidity when customers are unable to pay bills, or how to source equipment that is normally imported from all over the world.
Phishing and cyber attacks are also on the rise and need to be managed. Measures such as Data loss prevention (DLP) tools may help manage corresponding risks, multi-factor authentication and stricter password requirements and additional training and awareness briefings are being stepped up. However, the upside of the crisis is that the team has gone back to the drawing board on audit strategy and changed 60% of the existing plan – disruption on this scale shows how quickly things can be changed.
A leader within an international power utility said that the necessarily detailed and extensive crisis and scenario planning already in place at his company had stood it in good stead when the lockdown happened. However, plans have still had to be flexed as they had been prepared for flu pandemics rather than Coronavirus, which has required unforeseen levels of social distancing and remote working.
A strong chain of command and crisis escalation procedure have also helped the utility market weather the storm, as has the acceleration of IT projects that were already in discussion, such as making more use of data analytics, using Teams and enabling remote working.
The director of an insurance group added that flexibility in business planning and crisis management needs to be built in following the current experience: having to move contact centre staff to work from home would never have been anticipated, for example, but it was possible to arrange this when it was needed.
One downside of remote working for audit teams is that they can no longer ‘read the room’ when visiting different parts of the business, which is one of the best ways to understand what is happening in terms of risk and assurance. Having quick, ad hoc conversations in the office to shape thinking is another element that is now missing, and both are processes that audit teams will need to do differently, possibly for the rest of the year and beyond.
How can internal audit continue to provide risk assurance while also supporting the immediate needs of the organisation?
Many departments have modified elements of their audit plan whilst some have thought prudent to defer portions to focus on essential operational activities. Across the sectors, represented, team resources have been reallocated to support IT, Finance and Crisis Management while paying attention to potential independence issues in the future. However, in some industries assurance has not changed.
A chief audit executive reported from the financial services industry that assurance has not changed and that the audit committee has asked her team to keep going, while also looking at how to create new processes that enable the firm to work around the challenges created by the pandemic.
Meanwhile, the audit team is co-mingling with the business to find these solutions, while sharing audit work across the team more equally to take account of the ongoing difficulties faced by individuals, such as the need to provide childcare and home schooling or coping with poor technology. It has been particularly challenging to carry out audits in overseas branches of the firm and using local resources may be a change that is adopted going forward.
An audit lead at a leading financial administration firm said that it had been agreed with their CEO to pause discretionary audit work for a period of four weeks. This enabled the leader to redeploy her team to first line defence activities such as redeveloping continuity plans, while documenting changes to processes so that colleagues could focus on running the business.
Part of her responsibility is to balance the expectations of the audit committee who expect business as usual even in a crisis, reassuring them that she is confident that the organisation is heading in the right direction.
The group head of audit at an international fashion business explained that it had been possible to both meet the immediate needs of the business while continuing with audit processes by building a ‘COVID-19 layer’ on top of existing health and safety assurance.
The ability to adjust guidance and procedures on the fly in line with regional conditions has been particularly valuable, as has the company’s accelerated use of dashboards and analytics.
This ability to speed up and throttle back according to changing risk profiles is likely to remain, with audit teams becoming more agile and closer to the business. One of the big challenges will be how to manage the uncertain risks associated with getting people back into the office, which will prove to be much more difficult than moving them out to work from home.
Which techniques can internal audit apply for more tech and data driven approaches and what is the importance of an agile mindset?
It is clear that while some organizations were prepared for remote working, however, many encountered challenges transitioning to a remote environment and using technology platforms and communication tools to enable that effectively.
Finally, the group head of internal audit at a business services company said that the only way to remain relevant in this crisis is to adopt an agile mindset and make decisions based on real-time data.
There has been and will be a unprecedented increase in the pace of change and it’s difficult to keep tabs on everything that happens in the organisation, but it’s vital to remain as plugged into as much as possible: this includes being aware of when elements of the business need to close down or start up, which can now take place within days rather than weeks.
One of Protiviti’s managing directors agreed that more regular contact between the audit team, the chair of audit and the business is vital. A framework that outlines regular weekly calls can help to get the business on board and avoid audit becoming a bottleneck on speedy decision making.
The internal audit leader at the London branch of an international bank concluded that operational resilience is a key concern for financial institutions, and that he had noted the ability of those organisations that were already focused on data analytics to adapt more effectively to new market conditions.
However, audit teams will need to adopt a different mindset to get the best out of data analytic tools and techniques. This will have to start with a better understanding of how they can be used in the audit process and with demonstrating value, particularly when physical audit visits are curtailed.
More shared experience on the use of technology and data driven solutions will follow in future Protiviti Chief Audit Executive Fora. In the meantime, key takeaways and actions for internal audit from the most recent events are in the box-out. If you’d like to discuss the learnings or join our forum, please email: [email protected]