Returning Internal Audit to 'Business as Usual' in a New World
Eight Recommendations for Addressing the Impacts of COVID-19 on Financial Services Industry Audit Plans
The COVID-19 pandemic continues to create untold havoc on individuals, businesses and economies throughout the world, with no clear end in sight. The financial services industry (FSI) has by no means been immune. An abundance of pandemic-related events, including the implementation of cascading regional stay-at-home orders, various government relief programmes globally, downturns across numerous industries, and historic furloughs and job losses, have tested financial services institutions like no crisis in generations.
Given these upheavals in “business as usual,” internal audit departments within financial services institutions have been forced to pivot quickly, reprioritising and adjusting their audit plans on a dime. This has resulted in the delay, deferment and even cancellation of many internal audit plans and activities in 2020.
At the same time, COVID-19 has introduced new risks (e.g., employees working remotely, workplace safety), as well as new components to existing risk areas (e.g., supply chain sustainability, customer experience and service). These developments have forced internal audit departments to free up capacity and shuffle resources to focus on these emerging priorities. Also, many financial services organisations restructured their 2020 audit plans significantly, perhaps more than at any other time in recent history, and, in some instances, created a backlog of critical or key audits.
Despite the many challenges, internal auditors globally have shown remarkable agility and resilience. For instance, in a recent survey of more than 1,500 internal auditors from 95 countries, The Institute of Internal Auditors (IIA) notes that, in response to COVID-19, more than half of all functions updated audit plans, reviewed risk assessments and worked on identifying emerging risks. The full results of The IIA survey are published in this paper, COVID-19: The Initial Impact on Internal Audit Worldwide.
Going into 2021, as the risk landscape continues to evolve, internal auditors can no longer rely on traditional, monolithic approaches. Today’s dynamic environment requires new approaches and thinking. In this paper, we offer eight key recommendations for internal audit departments in financial services institutions that have experienced major upheavals, with the goal of enhancing the effectiveness of internal audit and the ability to provide assurance on risk management and controls during a rapidly evolving economic environment.
Recommendations for Addressing the Impacts of COVID-19 on FSI Internal Audit Plans
Each internal audit function faces its own unique challenges based on the size of the financial institution, its customers and clients, the complexity of its business, and the effects of COVID-19 on the organisation. Internal audit’s view of the effects of the pandemic and the way forward for the organisation should be validated with the audit committee and executive leadership.
The following recommendations should be considered, in part or in whole, while keeping in mind the specific circumstances of each financial services institution. In many instances, employing next-generation internal audit governance, methodologies and enabling technologies will provide a significant advantage.
- Commit to becoming an adaptable internal audit function: Utilising traditional, monolithic approaches to auditing dynamic and changing risks is no longer acceptable. Given the greater prevalence of data in financial services institutions, internal auditors need to deploy methodologies and tools that provide for the capture and analysis of data, turning it into insights as close to real-time as possible. These next-generation internal audit efforts require an internal audit culture that embraces change as well as agile, analytics-driven and scalable execution.
- Transition to a dynamic risk assessment approach: Given the current business challenges and risks, internal audit functions should transition their focus from a static, traditional cycle-based model to a dynamic risk assessment approach – a key element in a next-generation internal audit function. Shifting to a proactive, dynamic methodology, during which audit hours typically are focused on executing projects, versus a cycle-based approach (e.g., semiannual, quarterly), will enable organisations to:
- Identify changing risk trends in real-time.
- Re-prioritize coverage of risk as changing trends are identified.
- Develop an ongoing and common view of risk and the integrated assurance map across the three lines of defense.
Additionally, audit organisations that have adapted their risk assessment approach to quantify risk more effectively on a real-time basis and have executed relevant assurance work to align with key organisational risks and priorities have navigated the pandemic – as well as the resulting changes in business and risk – more successfully than those organisations without these capabilities.
- Identify and prioritise which backlogged audits still need to be completed: In the wake of the pandemic’s onset, many internal audit departments were forced to place prescheduled audit activities on the back burner due to rapidly shifting priorities and redeployed resources. According to The IIA’s recent survey, about half of the more than 1,500 respondents reported cancelling or reducing the scope for some audit engagements in response to COVID-19. Now is the time to review this list of backlogged projects and begin prioritising based on risk type, resource availability, stakeholder feedback, regulator focus, established requirements and other factors. Once a prioritisation methodology is developed, internal audit should adjust or revise the existing audit schedule based on the output of this exercise. The review is essential as it may provide insights into audits that may no longer be worth pursuing given the changed environment or into those audits that were managed remotely and whether there are lessons to be learned from the remote-audit work process.
- Revisit opportunities for automation: Next-generation internal audit technologies have become more critical amid the current challenging business and working conditions. Going forward, internal audit leaders should determine if initiatives and investments to incorporate more automation into the audit process were put on hold and, if so, assess if they can be implemented. As part of the considerations regarding automation, the focus should be on high-volume transaction areas with mature control environments, for which first-time investments in automation can reap the most benefits. (For further insights, see the sidebar, “Empowering Next-Gen Internal Audit With Advanced Technologies,” below.)
Now is the time to review backlogged projects and begin prioritising based on risk type, resource availability, stakeholder feedback, regulator focus, established requirements and other factors.
Empowering Next-Gen Internal Audit With Advanced Technologies
Technology plays an integral role in effective internal audit functions. The pandemic environment has further amplified the need to adopt new technology solutions in internal audit that are likely to remain even after social distancing expectations begin to ease.
Internal auditors within many organisations are leveraging advanced data analytics to map out action plans more effectively, make better inquiries into the various owners of risk and processes, and improve how, when and where audits are conducted. During the pandemic, internal audit task forces have used such data to inform and test the value of key risk indicators and, in some cases, recalibrate the indicators to better align with the data that’s available.
Additionally, process mining is becoming a key differentiator for internal audit programmes, particularly in a work-from-home environment. Process mining technology provides auditors with critical insight into how systems and processes are operating in those situations and identifies where deviations may be occurring.
Internal audit functions in a variety of sectors are deploying cognitive technologies like artificial intelligence, machine learning and natural language processing to increase the effectiveness, timeliness and efficiency of complex testing. For example, natural language processing techniques provide an automated way to identify word and phrase patterns in structured and unstructured data sources and documents. Such methods can be used to classify documents based on their contents, for example, by identifying adverse or otherwise noteworthy clauses in contractual arrangements.
Finally, auditors can deploy algorithms such as k-means and hierarchical clustering work to identify and group similar elements in data sets that may not be immediately apparent to the auditor reviewing the data. This will allow internal audit to, for example, identify suspicious or high-risk transactions and better stratify populations for risk-based analysis.
- Assess resource capacity: Making sure you have the right skills, capabilities and capacity is essential to ensuring you can provide assurance over risks that are changing at an increasing velocity. Resources have been put to the test during the COVID-19 crisis. In many cases, internal audit staff were moved to the first line to provide support with COVID-19 response and customer service activities, contributing to delays in prescheduled audit activities. Staff reductions have also impacted internal audit functions, although at a lower scale compared to budget cuts. Globally, internal audit staff reductions have been most severe in consumer-facing businesses, such as retail, food and travel, The IIA survey shows.
Going forward, internal audit functions should assess current and forecasted resource and skillset capacities to ensure that resources are available to address the most critical risks, including new and emerging risks resulting from the pandemic as well as those risks inherent in the business. Aligning existing resources against the highest risks and internal audit plan (including backlogged audits) and then augmenting where necessary will help ensure organisations can fulfill the mandate to provide assurance over key risks and controls. In addition, consider potential conflict-of-interest risks prior to assigning resources to execute certain audits of first-line business functions that, at the onset of the crisis, borrowed third-line resources to support COVID-19 response and customer service activities. Audit leaders should have clear visibility into which individual employees were pulled for these first-line activities (including the specific timeframes and scope of this support) in order to ensure that related audits are staffed with properly independent resources, including those of third parties, as necessary.
As part of these efforts, internal audit leaders also should continue to focus on achieving aligned enterprise assurance. There are numerous risk management disciplines within financial services institutions. Internal audit can assume a key role in leading the discussion to align them and overcome obstacles assumed by the traditional three lines model. Next-generation internal audit groups seek consistency among the three lines in taxonomy, rating scales and language, and break down silos to establish a consistent message and voice and achieve organisational efficiencies in risk management.
- Recognise your people: In these tumultuous times, it is important to acknowledge your people and their efforts. Most staff members likely have been putting in extensive hours to conduct auditing activities while working remotely and amid changing business conditions. Take the time to express appreciation for everyone’s contributions and encourage people to catch up on vacations and recharge. Promote a flexible work schedule when possible and make sure to build in frequent touch points with team members, both as a group and individually.
- Increase frequency of communication with the audit committee, executive leadership and working groups: Amid the current environment, one of the areas likely to see a continued change is the process by which internal audit functions partner and communicate with executive leadership to identify and monitor the organisation’s overall risk. Chief audit executives and internal audit functions that have not already been communicating with their audit committee and/or executive leadership on at least a monthly basis should prioritise increasing the frequency of outreach to this level and consider whether different forms of communication and reporting are needed. For example, are live virtual meetings an option? More frequent communications, the content of which will likely evolve over time, will provide needed transparency into changing business conditions and new risks to address in the audit plan.
In addition to maintaining awareness of the broad range of issues the financial institution may be facing, audit leaders should participate in enterprisewide working groups and committees focused on addressing and responding to the challenges presented by the pandemic. These frequent touch points will help ensure that there is alignment on expectations and views of risk throughout the organisation.
- Consider the regulators: During these times of uncertainty, it is equally important to keep the lines of communication open with regulators and examination teams. In this dynamic environment, legislation is being passed at a rapid pace. We have seen this with new government programmes and regulations worldwide, as well as from various U.S. state insurance regulators, all designed to stimulate the economy, aid consumers and address the pandemic. Regulators are updating guidance and examination schedules and guidelines in real time. They have also had to shift their methods of communication and coordination among different agencies while adjusting to a remote working environment. They will likely welcome an open dialogue around an organisation’s current challenges and priorities given the breadth and depth of the pandemic’s impact.
Now is the time for internal audit leaders to leverage their long-standing relationships and partner with the financial institution’s regulator, up to and including sharing proposed internal audit calendars and action plans to ensure robust and transparent communication. Regulators may look to place additional reliance on internal audit functions in the near term to ensure that an organisation is managing and monitoring associated risks of the pandemic.
Now is the time for internal audit leaders to leverage their long-standing relationships and partner with the financial institution’s regulator, up to and including sharing proposed internal audit calendars and action plans to ensure robust and transparent communication.
Internal Audit’s Role in Operational Resilience
The financial services industry has long relied on internal audit functions to assess and challenge the effectiveness of various programmes designed to protect and build organisational value. These programmes have included disaster recovery, business continuity, risk management, cybersecurity and many others designed to help institutions recover from an event.
However, with rapid technology development and globalisation, internal audit functions are having to evolve and adapt to emerging business risks and regulatory expectations. Regulators expect, and in many cases demand, that firms demonstrate greater resilience, while organisations, management and boards are under greater pressure to build out more robust resilience-focused programmes. The pressure comes amid fears that operational disruptions to the products and services financial services organisations provide have the potential to harm consumers and market participants, threaten the viability of these entities, and create instability in the financial markets. A string of large-scale technology outages and cybersecurity attacks in recent years has exposed systemic vulnerabilities and intensified regulators’ concerns.
Given the emerging nature and complexity of operational resilience, there is growing urgency for internal audit to play a bigger role in providing assurance that the governance, risk management and controls that are being created to enhance resilience capabilities are adequate. This evolving dynamic also provides an opportunity for internal audit to develop a flexible and comprehensive approach that not only targets all aspects of a resilience programme but also can be incorporated into existing business and IT audits.
Not a new concept, but one that is receiving scrutiny from regulators and leaders alike, operational resilience is defined as an organisation’s ability to detect, prevent, respond to, recover from and learn from operational and technological failures that may impact the delivery of critical business and economic functions or underlying business services. The concept of operational resilience is evolving as firms expand programmes and capabilities to address a broad range of threats that could cause business failures, systemic risk and economic impacts.
Within each organisation, operational resilience calls for stakeholders to promote a culture of resiliency through oversight, training and awareness, communications, and board reporting. The key components of operational resilience, which include defining and understanding important business services, impact tolerance and economic impact, are essential guideposts on the road to resiliency. And vitally important is the role internal audit plays in assessing these various components, providing assurance that stakeholders are addressing the key risks identified.
Working in concert with leading financial industry groups and individual institutions, Protiviti’s internal audit experts are expanding existing programmes to incorporate more comprehensive assurance over operational resilience. The revised resiliency audit approach addresses governance structures from an operational resilience perspective and provides coverage of all the foundational elements (e.g., cybersecurity, disaster recovery, business continuity planning and vendor risk management) within business-as-usual audits, and front-to-back resiliency processes.
For more information, read Protiviti’s white paper, The Road to Resiliency – Building a Robust Audit Plan for Operational Resilience, available at www.protiviti.com/operationalresilience.
The current COVID-19 pandemic is presenting financial services organisations with a series of shocks unlike any seen in generations. From rapid changes in how and where people work to a myriad of new risks across the enterprise, internal audit functions in the industry must rise to the challenge.
Chief audit executives and internal audit leaders must review their current slate of audits, prioritising backlogged projects to address the most urgent current risks to the enterprise. At the same time, they must evaluate new and emerging risks resulting from pandemic-related workplace changes and environmental exposures. To address these changes successfully, they should increase proactive communication among internal and external stakeholders and embrace the use of next-generation internal audit governance competencies, methodologies and enabling technologies.
Those FSI internal audit leaders that adapt successfully to this new normal and pivot from business as usual to take their rightful seat at the table will be best prepared to guide the internal audit function into the next generation.