What an extraordinary time to be recognizing Internal Audit Awareness Month. Changes have been rapidly taking place, yet one thing has remained unchanged: Internal Audit’s mission to protect and enhance organizational value, which is even more crucial than ever in today’s environment. As we emerge from this crisis, what should Internal Audit be focused on to maximize value?
1. Re-evaluate a Post-Crisis Risk Landscape and its Impact on the Internal Audit Plan
There have undoubtedly been changes to the risk landscape, both externally from volatility in markets and internally through changes to business operations. Some of these changes may result in new risks for your organization, or simply cause a reprioritization of existing ones due to increases in the velocity and impact that they can have. In stable times, the view on risk is usually a longer-term consideration. Yet, in today’s environment, many will become immediate high priorities, necessitating urgent attention in order to enable the organization to evolve to its post-crisis state. You must ensure that your risk assessment takes these changes in priorities and timelines into consideration.
Risk areas that likely have been impacted include:
- Financial Risk
From revenue and cost management to financial reporting risks, financial risk broadly is the top risk that companies are focused on. CFOs are focused on preserving revenue streams as well as implementing cost-cutting measures. The risk assessment should also include a review of financial reporting impacts, such as changes in asset valuations and accounting estimates, going concern analysis, debt covenants and revenue recognition.
- Business Resiliency
Every company’s business continuity and resiliency plans have been put to test. Given how well (or not) your organization has performed, consider where this risk falls on the risk heat map.
- Employee Safety
As employees return to work and the threat of COVID-19 remains, companies need to measure this risk and implement plans to protect its employees and their families.
- Cybersecurity and Privacy
Video conferencing and remote working have created new opportunities for malicious actors, exposing the business to new methods of attack and potential privacy breaches.
- Supply Chain Risk
Over reliance on individual suppliers may represent a much larger single point of failure for your organization if they are forced to close or experience supply shortages.
- Third-Party Risk
Critical vendors supporting the business have also experienced a changing operating environment that may bring additional risk to your organization.
- Fraud Risk
Changes in the business landscape and economic uncertainty may have created new opportunities and incentives for fraudulent activity that need to be considered in the organization’s fraud risk assessment and anti-fraud controls.
A reassessment of the internal audit plan is necessary considering the significant changes in the risk landscape. Be sure to understand what is top of mind for your Audit Committee. Consider the following:
- A reduced audit scope for required but lower risk audits is a way to address the key risks with less time required.
- Special projects are welcomed by management. Consider where your team can provide needed support through a special project that maintains the Internal Audit function’s independence. Internal Control training may be a good area to focus on if there has been significant change in the control landscape.
- Refresh the fraud risk assessment to account for changes in the control structure, as well as changes in opportunities and pressures.
- A post-crisis impact review in your organization would be valuable to management and the Audit Committee. Internal Audit has a broad perspective and understands where interdependencies, vulnerabilities and regulatory requirements exist, and are primed to provide an assessment of how various changes may impact the organization.
2. Conduct a Post-Crisis Control Impact Assessment
For organizations to successfully emerge from a post-crisis environment, Internal Audit must consider the impacts of the rapid changes management undoubtedly had to make during that time. Internal Auditors should be vigilant in understanding where controls have operated differently within the newly decentralized and remote environment. And for those organizations that will sustain this new remote strategy, are the newly designed controls sufficient to mitigate the risk?
Some key considerations are:
- Manual controls generally are at risk for not operating as intended, therefore creating risk of exposure. If the organization was working to address known control weaknesses, they likely increased at the onset of the crisis. Work with management to understand where these potential vulnerabilities are to ensure that the proper mitigation plans and remediation timelines are in place and provide recommendations to automate controls where possible.
- Maintaining a strong ethical tone and culture in a remote environment requires frequent and relevant communication in order to ensure that the organization is moving in the same direction and focused on the right priorities. Consider how management has kept the rest of the organization updated so that teams can respond and adapt in a way consistent with company values and priorities. Maintaining an ethical tone throughout the organization is the backbone of supporting the integrity of all other controls.
- Changes in key personnel are likely and will impact on the control environment. Where reductions in force have occurred or are planned, understand whether segregation of duties issues have been created and what compensating procedures can mitigate this risk. For those personnel taking on new responsibilities, ensure that they have received the proper training to enable proficiency and success.
- Impact to controls that are in-scope for SOX compliance will need to be addressed throughout the year in order to sustain compliance. Where these review and approval controls are manual, how has management evidenced this process in a remote fashion? Will the revised process be enough to prove the integrity of the control (e.g., is typing one’s name in an Excel cell sufficient)? Moreover, ensure that the control owners have updated the impacted descriptions to minimize issues when the external auditors begin conducting their testing. The Public Company Accounting Oversight Board (PCAOB) is not relaxing its standards on the audit firms, so companies should anticipate the same level of control scrutiny, and in some cases increased focus, by the external auditor.
- A controls rationalization review will ensure that the benefits of controls continue to outweigh the costs of managing the risk. Depending on what changes your organization has undergone, reduced business in certain areas may warrant streamlining or reducing certain controls.
3. Internal Audit Function Resiliency Review
How has your Internal Audit fared during this crisis? Your team likely made some adjustments; were the adjustments indicative of areas where your team could inherently be more agile and efficient? From managing audit documentation, to maximizing audit coverage and audit reporting, there are various points in the audit process that can be improved. Continued focus on embracing innovation through maximizing technology and agile methodologies will enable your team to emerge stronger and provide maximum value.
Some places to start:
- If you are not using a Governance, Risk, and Compliance (GRC) Tool or it’s been awhile since you last evaluated them, consider looking at them at them now. The cloud-based GRC tools have become more economical over the years. These tools streamline the audit process, support cohesion across decentralized teams, and come with dashboards that can be leveraged for reporting.
- Robotic Process Automation (RPA) can speed up repetitive manual testing or allow for continuous monitoring, giving you greater audit coverage with less resources. Internal Audit must also be familiar with RPA to effectively advise management on areas of the business that would benefit from its efficiencies.
- Because data can provide a laser-focus on key risks and aids auditors in presenting meaningful insights to management, leveraging data analytics is a must for any Internal Audit department.
- Auditors should adopt agile project management practices, performing sprint-like audits that accomplish specific objectives in a short timeframe and are responsive to rapid changes in the risk landscape.
- Use data visualization tools and techniques to drive home your critical points and deliver insights. In recent days, certain vendors allow you a license for free for a short period and some offer complimentary training.
Our latest guidebook provides leaders with a roadmap to enhance resiliency plans, simplify operations, address new financial requirements, and more. To download, please click the link below.