The consequences of COVID–19 have changed the risk landscape. Internal audit functions are finding more than ever that they need to be closely aligned with, and responsive to, rapidly evolving business demands and priorities. Increasingly, they need to operate in more flexible and agile ways to remain relevant and support their organisation.
Our weekly Chief Audit Executive (CAE) Forum is planning to exchange ideas about how to manage the audit process through and beyond the current pandemic. The session on 7th May 2020 focused on four key questions through the prism of actions that need to be taken now, soon/next and eventually.
How are the expectations of the board on risk changing during this period?
The ex-head of audit and risk at a major utility, who is now board member at a development agency, said the crisis has brought risk thinking to the forefront. A range of risks have emerged that were not anticipated, so boards are looking for an agile mindset and solutions focus from their risk and audit teams, not just normal reporting.
Boards also want reassurance that risks are being addressed, understanding that while risks cannot be eliminated they can be dealt with effectively and pragmatically. This is creating an opportunity for risk and audit professionals to step up and act as the trusted right hands to CEOs and CFOs.
It also extends into helping the business not just deal with the most immediate risks today, but also how to plan a sustainable business for the future. Constant communication with operational managers as well as a focus on timely data is vital to build insights and gain valuable perspectives that build confidence across the organisation.
The head of audit and risk at a pharmaceutical company agreed that expectations from the board are being driven by having to deal with rapid and unprecedented change. While existing governance models must stay in place, new ways of working have had to be adopted quickly, including working remotely, collaborating with other companies and gathering real-time data for audit purposes.
Looking to the future, boards are looking for solutions in light of the emerging economic and geo-political environment, which has focused on closing borders and looking after local interests. What impact will this have on international trade and business in the future?
- How does the role of assurance functions evolve in response to large scale crisis situations?
The head of risk and assurance at a European airline said that COVID-19 has presented an existential threat to his business. The past few weeks have seen the transfer of ‘all hands to the pump’ with third line assurance team members transferring to the business and applying their skills to challenges such as business continuity, fraud mitigation, supply chain risk management and recovery.
His team are providing daily briefings to the executive board rather than periodic reviews. They are now considering issues such as how the business could learn from the current situations in terms of scaling up and down quickly in response to similar crises - and looking at projects that could be cut to preserve cash reserves. The biggest concern for his industry is that there are so many imponderables, such as consumer confidence and which countries will come back on line first.
The senior VP of internal audit at a telecoms firm said the pattern followed by her team is now anticipate, assure and advise. It’s vital to look at the impacts of risk both now and later, and how they will change. By providing more detailed and higher quality data to second line professionals, her team can focus on major emerging risks such as the impact on liquidity when customers are unable to pay bills, or how to source equipment that is normally imported from all over the world.
Phishing and cyber attacks are also on the rise and need to be managed. However, the upside of the crisis is that the team has gone back to the drawing board on audit strategy and changed 60% of the existing plan – disruption on this scale shows how quickly things can be changed.
- How can internal audit continue to provide risk assurance while also supporting the immediate needs of the organisation?
The chief internal auditor at an investment management firm said that assurance has not changed and that the audit committee has asked her team to keep going, while also looking at how to create new processes that enable the firm to work around the challenges created by the pandemic.
Meanwhile the audit team is co-mingling with the business to find these solutions, while sharing audit work across the team more equally to take account of the ongoing difficulties faced by individuals, such as the need to provide childcare and home schooling or coping with poor technology. It has been particularly challenging to carry out audits in overseas branches of the firm and using local resources may be a change that is adopted going forward.
The chief audit executive at a shares administration [GR too revealing – financial services] company said that she had agreed with her CEO to pause discretionary audit work for a period of four weeks.
This enabled her to redeploy her team to first line defence activities such as redeveloping continuity plans, while documenting changes to processes so that colleagues could focus on running the business.
Part of her responsibility is to balance the expectations of the audit committee who expect business as usual even in a crisis, reassuring them that she is confident that the organisation is heading in the right direction.
- Which techniques can internal audit apply for more tech and data driven approaches and what is the importance of an agile mindset?
Finally, the group head of internal audit at a business services company said that the only way to remain relevant in this crisis is to adopt an agile mindset and make decisions based on real-time data.
There is a huge increase in the pace of change and it’s difficult to keep tabs on everything that happens in the organisation, but it’s vital to remain as plugged into as much as possible: this includes being aware of when elements of the business need to close down or start up, which can now take place within days rather than weeks.
More discussions on the use of tech and data driven solutions will follow in future Protiviti CAE Forums. In the meantime, key takeaways and actions for internal audit from this week’s event are as follows:
What do we need to think about now?
- Boards and Audit Committees are expecting increased levels of communication and visibility with a much more regular dialogue with the assurance functions.
- The centre of discussions is risk and the ability to contribute to the understanding of emerging risks and the organisation new risk profile is key.
- The expectations are also focused on a much more solution-oriented approach, agile internal audit methods and the capability to provide confidence in a very rapid change environment.
What do we need to think about next?
- Internal audit needs to adjust the audit plan, not only to prioritise the COVID-related responses but also to adopt a much more agile way of working going forward.
- Providing assurance in real time and implementing data driven methods is expected to enable reassessing risk priorities in a fast-moving landscape.
What do we need to think about eventually?
- Enabling meaningful collaboration and alignment with other assurance functions will be crucial for those internal audit functions seeking to provide an enhanced level of assurance.
- Maximising the opportunities that the “new normal” brings to the internal audit function and recognising the new talent and skills requirements will set the future internal auditor for success.