COVID-19: Next Steps for Internal Audit
Internal audit is in a unique position to assist organizations navigate these unchartered times. Organizations are in a state of flux as they try to respond to the regulatory, financial and operational crisis that they are facing from this pandemic.
As internal auditors, we understand the organization’s business risks, operations and what can go wrong if attention to internal controls is not included in the changes being made to bridge the impact of COVID-19. Your organizations are changing the way they execute their operations. Internal auditors must demonstrate that we can also adapt to the changing environment through reinventing our approach to identifying risks and assessing the internal controls. This crisis calls for our internal audit shops to re-evaluate our organization’s risks and controls as the risk assessments we completed prior to the pandemic are most likely outdated.
The Institute of Internal Auditors has proven to be a comprehensive resource during COVID-19 and has provided positive suggestions for how internal audit can respond to the current environment while planning for the future. The following excerpt is from the IIA’s Resource Exchange and provides a suggested list of priorities for internal audit functions to consider as they begin working in the new normal.
- Actively engage in the organization’s lessons learned postmortem.
- Validate that the organization has completed sufficient end-of-crisis preparation to maximize revenue when operations return to normal. Ensure that where new processes are implemented, governance is in place.
- Verify that business reliance processes and documentation are updated based on the lessons learned postmortem, if needed.
- Leverage resources, including business benchmarks and internal audit networks, to understand key lessons learned and best practices from other audit leaders.
- Consider what critical technologies should have been or should be in place in the future to help executive leadership efficiently create and execute effective response plans to future crises with a similar impact on business operations. Examples: remote-working capabilities for employees, cloud-based audit, risk, and compliance collaboration solutions.
- Verify that our risk assessment process includes all risks that may have a significant impact on the organization in the next four to 12 months, even if the likelihood is low.
- Assess the frequency, scope of people involved, and the type of reporting of the current risk management process and adjust as necessary.
- Leverage automation, as much as possible, to expedite key risk management processes, including risk solicitation, aggregation, assessment, and reporting. Consider cloud-based risk management solutions that allow audit, risk, and compliance functions to quickly assess new and emerging risks, easily visualize the data, and create real-time risk reports.
Internal Audit Operations
- Assess the internal audit resource plan and budget to understand if or how the pandemic will impact internal audit. Consider how organizational layoffs, furloughs, and budget cuts will affect audit commitments.
- Reassess the internal audit plan to ensure audit resources are focused on process and risk areas most important to the business during COVID-19’s impact.
- Reassess how internal audit engages with control owners and audit customers. Will communication and interaction practices in place before COVID-19 enable audit to carry out responsibilities effectively? Are there opportunities to automate processes, such as document requests and the validation of remediated audit issues, with cloud-based, end-to-end audit workflow automation solutions?
- Consider the mix of audit versus awareness type projects. Is it possible that remote work can negatively impact control performance? If so, can internal audit help the organization by promoting the importance of governance, risk, and control responsibilities, and act as a resource for change management?
As business operations develop what their future “normal” will be, it is important for internal audit functions to be ready to step up as the trusted business advisor and provide guidance to leadership.
The IIA’s full insight paper, COVID-19 and Internal Audit, Preparing for the New Normal in 2020 and Beyond, includes additional internal audit recommendations along with helpful insights on the changing risk landscape.
Ms. Darlene Brown is a director with our Risk Advisory practice. She has more than 20 years of experience in leading internal audits, SOX Section 404 compliance testing, internal control evaluation, operational performance reviews, and business process improvement reviews. She has oversight responsibility for our co-sourced and outsourced internal audit services with a diverse clientele across all business sectors including state government entities, higher education, not-for-profit organizations, Fortune 500 companies, and public and privately held businesses. Connect with Darlene via email .
For more insights on improving business processes:
- Six Key Data Governance Questions for Directors
- Fraud and Internal Audit – Assurance Over Fraud Controls, Fundamental to Success
- Enterprise Risk Management – Integrating with Business Strategy and Performance
McConnell & Jones’ consulting services provide a systematic process for aligning operational outcomes with strategic objectives and stakeholder demands.